Apache released update commons-collections3.2.2, but still fails to resolve deserialization security issues

Source: Internet
Author: User

Unfortunately, this update does not actually fix the deserialization security vulnerability, it only adds security checks: Only the configuration system properties are required, the property name is " Org.apache.commons.collections.enableUnsafeSerialization ", the property value is" true ", otherwise a unsupportedoperationexception exception will be thrown.

Analysis Process:
Since there is no 3.2.1 version of the source code, the use of the anti-compilation 3.2.1 and the 3.2.2 version of the jar package, and then use the comparison tool to compare the anti-compiled source code, to obtain the following results:

In the Org.apache.commons.collections.functors.FunctorUtils class, the new Add Check property configuration code is as follows (note that the accessibility of the new method is accessible within the package):

    static void checkunsafeserialization (Class clazz)  {         String unsafeSerializableProperty;         try {             unsafeserializableproperty =  (String)  accesscontroller.doprivileged (New privilegedaction ()  {                public  object run ()  {                     return system.getproperty (" Org.apache.commons.collections.enableUnsafeSerialization ");                 }             });         } catch  (Securityexception ex)  {             unsafeSerializableProperty = null;        }         if  (! " True ". Equalsignorecase (Unsafeserializableproperty))  {             throw new unsupportedoperationexception ("Serialization support for   " + clazz.getname ()  + "  is disabled for security reasons.   " + " to enable it set system property  " + " Org.apache.commons.collections.enableUnsafeSerialization " + " '  to  ' true ',  " +   "but you must ensure that your application does not  De-serialize objects from untrusted sources. ");         }    } 

The following two private methods are added to several implementation classes under the package:

private void WriteObject (ObjectOutputStream os) throws IOException {functorutils.checkunsafeserialization (CloneTra        Nsformer.class);    Os.defaultwriteobject (); private void ReadObject (ObjectInputStream is) throws ClassNotFoundException, IOException {Functorutils.checku        Nsafeserialization (Clonetransformer.class);    Is.defaultreadobject (); }

(Two of the above private methods are initially estimated to be called through reflection)

Summarize:
In addition to other bug updates, the anti-serialization security issue is not resolved, because if you want to use it properly, you will be forced to configure the above system properties.

Anti-Serialization Vulnerability analysis report from dark clouds: http://drops.wooyun.org/papers/10467

Apache released update commons-collections3.2.2, but still fails to resolve deserialization security issues

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.