Deserialization vulnerability with remote code execution in commons.collections

Over the weekend, news broke of a nasty issue in the Apache commons collections library. Some of the applications affected by this are JBoss, Websphere, Weblogic and Jenkins. But essentially every application that depends on commons.collections and accepts serialized objects as input is vulnerable.

  • Tim De Grande
  • November 9, 2015

(Header image by Yuri Samoilov)

The serialization issue was first discovered some months ago, but never really drew much attention. That is until Steve Breen at FoxGlove  security wrote an interesting blog post on it. In it he explains in detail how serialization works in Java and how it introduces certain risks when it's exposed to the outside world. He points to this bit of code, which generates a serialized Map from commons.collections containing a TransformerChain. This chain is executed immediately upon deserialization. One of the transformers in the chain is an InvokerTransformer. This transformer will use reflection to execute a specific method on a specific object with the specified parameters. 

The exploit chains these transformers to execute: Runtime.getRuntime().exec(...) which allows you to execute any command you want in the context of the application (even before the object is returned to the application)


At the moment there is no patch available from Apache commons. Even if there was, you still need to get it where it's needed. Most application servers include it in their dependencies, so you'd need to update them manually. Once that's done, you still need to patch the application itself.

In the meantime there's no easy fix for this. If your application depends on deserialization, you may want to override the resolveClass() method of ObjectInputStream to only accept the types you know are safe.


As you know, it's never a good idea to blindly trust anything that enters your application. Therefore your best fix is just not to risk it in the first place. Don’t deserialize untrusted data. As that article also mentions, it might be a better idea not to use the default Java serialization: you can use a JSON or XML serialization instead.

(More serialization hacks with AnnotationInvocationHandler)

About this author:

Tim De Grande

Tim De Grande is a principal Java developer at Ordina who is interested in security and cryptography. He keeps his colleagues up to date on the latest security news and works to broaden their understanding by giving workshops and classes.