Apache released update commons-collections3.2.2, but still fails to resolve deserialization security issues

Unfortunately, this update does not actually fix the deserialization security vulnerability, it only adds security checks: Only the configuration system properties are required, the property name is " Org.apache.commons.collections.enableUnsafeSerialization ", the property value is" true ", otherwise a unsupportedoperationexception exception will be thrown.

Analysis Process:
Since there is no 3.2.1 version of the source code, the use of the anti-compilation 3.2.1 and the 3.2.2 version of the jar package, and then use the comparison tool to compare the anti-compiled source code, to obtain the following results:

In the Org.apache.commons.collections.functors.FunctorUtils class, the new Add Check property configuration code is as follows (note that the accessibility of the new method is accessible within the package):

    static void checkunsafeserialization (Class clazz)  {         String unsafeSerializableProperty;         try {             unsafeserializableproperty =  (String)  accesscontroller.doprivileged (New privilegedaction ()  {                public  object run ()  {                     return system.getproperty (" Org.apache.commons.collections.enableUnsafeSerialization ");                 }             });         } catch  (Securityexception ex)  {             unsafeSerializableProperty = null;        }         if  (! " True ". Equalsignorecase (Unsafeserializableproperty))  {             throw new unsupportedoperationexception ("Serialization support for   " + clazz.getname ()  + "  is disabled for security reasons.   " + " to enable it set system property  " + " Org.apache.commons.collections.enableUnsafeSerialization " + " '  to  ' true ',  " +   "but you must ensure that your application does not  De-serialize objects from untrusted sources. ");         }    } 

The following two private methods are added to several implementation classes under the package:

private void WriteObject (ObjectOutputStream os) throws IOException {functorutils.checkunsafeserialization (CloneTra        Nsformer.class);    Os.defaultwriteobject (); private void ReadObject (ObjectInputStream is) throws ClassNotFoundException, IOException {Functorutils.checku        Nsafeserialization (Clonetransformer.class);    Is.defaultreadobject (); }

(Two of the above private methods are initially estimated to be called through reflection)

Summarize:
In addition to other bug updates, the anti-serialization security issue is not resolved, because if you want to use it properly, you will be forced to configure the above system properties.

Anti-Serialization Vulnerability analysis report from dark clouds: http://drops.wooyun.org/papers/10467

Apache released update commons-collections3.2.2, but still fails to resolve deserialization security issues