(DEPRECATED) Apache Flink Mailing List archive.

[jira] [Created] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability

classic Classic list List threaded Threaded
1 message Options
Shang Yuanchun (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability

Shang Yuanchun (Jira)
Ted Yu created FLINK-3005:
-----------------------------

             Summary: Commons-collections object deserialization remote command execution vulnerability
                 Key: FLINK-3005
                 URL: https://issues.apache.org/jira/browse/FLINK-3005
             Project: Flink
          Issue Type: Bug
            Reporter: Ted Yu


http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.

Brief search in code base for ObjectInputStream reveals several places where the vulnerability exists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Free forum by Nabble Edit this page