Apache Commons Library Vulnerability
Date: 13 November 2015
The purpose of this alert is to bring attention to a recently discovered vulnerability in the Apache Commons Library. The Apache Commons Collection is a Java library offering additional collection classes in addition to the Java Collection framework. The library is used by default in multiple Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS. The flaw is specifically in the Collections component of Apache Commons and stems from unsafe deserialization of Java objects. The issue was discovered in January 2015 and a proof of concept was published on November 6, 2015.
Apache Commons Collection versions 3.2 and 4.0 branches of commons-collection have been identified as affected. Older version of the Apache Commons Collection might also be affected and not yet identified.
According to reports unpatched systems that are exploited will be difficult to detect. The attack is contained in a single network packet and once a system is compromised the exploit runs in memory. It is particularly difficult to detect for Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), since attack code is reported to be encoded in a Java object and the fact that the malware is never written to disk.
Exploitation of this vulnerability could ultimately allow an attacker to execute arbitrary code on the system without authentication.
CCIRC recommends that owner/operators who have deployed products that contain (or may contain) Apache Commons Collection, to contact their vendor for confirmation and mitigation directives. Users may scan theirs servers with the Scanner, mentioned in the references, for the Java deserialization vulnerability at their own risk and without guarantees.
- SerializeKiller (Java deserialization vulnerability Scanner)
- Commons Collections COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer
- Oracle Security Alert for CVE-2015-4852
- Proof of Concept Exploit:
- Critical Java Bug Extends to Oracle, IBM Middleware
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: