CVE-2015-6420
Remote code execution vulnerability in commons-collections4 (Maven)
What is CVE-2015-6420 About?
This vulnerability allows for remote code execution in Java applications using Apache Commons Collections by processing a crafted serialized Java object. It enables attackers to execute arbitrary commands on the affected system. Exploiting this vulnerability often requires specific conditions for deserialization.
Affected Software
- org.apache.commons:commons-collections4
- <4.1
- commons-collections:commons-collections
- <3.2.2
- net.sourceforge.collections:collections-generic
- <=4.0.1
- org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
- <=4.01
- org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
- <=3.2.1
Technical Details
The vulnerability lies in the deserialization mechanism of Java applications that use the Apache Commons Collections (ACC) library. Certain 'gadget chains' within the ACC library, such as InvokerTransformer or ChainedTransformer, can be constructed within a serialized Java object. When a vulnerable application deserializes this malicious object, the readObject() method is invoked, triggering the execution of arbitrary commands embedded within the gadget chain. This bypasses typical serialization security measures and allows an attacker to gain control over the underlying system, typically through a web application endpoint that deserializes untrusted input.
What is the Impact of CVE-2015-6420?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application, leading to a complete compromise of the system.
What is the Exploitability of CVE-2015-6420?
Exploitation of this remote code execution vulnerability is of medium complexity. It typically requires an application endpoint that accepts and deserializes untrusted Java serialized objects. No authentication is usually required at the point of deserialization if the endpoint is publicly accessible, but network access to the vulnerable service is necessary. The attacker needs to craft a specific serialized payload using one of the known gadget chains within Apache Commons Collections. The presence of the vulnerable ACC library and a deserialization endpoint are key prerequisites. Special conditions might involve bypassing network defenses or knowing the exact class paths of the server. Risk factors include publicly exposed deserialization endpoints and a lack of input validation on serialized data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Leeziao | Link | PoC for CVE-2015-6420 |
What are the Available Fixes for CVE-2015-6420?
Available Upgrade Options
- org.apache.commons:commons-collections4
- <4.1 → Upgrade to 4.1
- commons-collections:commons-collections
- <3.2.2 → Upgrade to 3.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.kb.cert.org/vuls/id/581311
- https://www.tenable.com/security/research/tra-2017-23
- https://github.com/apache/commons-collections
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
- http://www.securityfocus.com/bid/78872
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
- https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E
- https://www.kb.cert.org/vuls/id/581311
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
What are Similar Vulnerabilities to CVE-2015-6420?
Similar Vulnerabilities: CVE-2015-3253 , CVE-2019-17558 , CVE-2020-13936 , CVE-2020-5398 , CVE-2016-2169
