Skip to main content

Apache Commons Vulnerability

VUIT Security Notice: New vulnerability found in Apache Commons

Vanderbilt IT would like to bring the following information to the technical community’s attention, especially those who use collections that utilize custom deserialization methods within Apache Commons. This vulnerability could allow remote exploitation without authentication.

Affected applications include:

  • Oracle WebLogic Server: versions 10.3.6.0, 12.1.2.0, 12.1.3.0, 12.2.1.0
  • IBM Websphere: version before 8.5 and 8.5.5
  • JBoss: all versions
  • Jenkins: versions before 1.638 and 1.625.2
  • OpenMMS: all versions

The security vulnerability has been identified as critical because it can be exploited remotely and can potentially allow the attacker to take control of the affected machine. In turn, this grants the attacker access to other systems within the network.

VUIT Security Operations will continue to monitor this vulnerability closely and has begun scanning to learn if any products are externally available with the vulnerability. In the meantime, VUIT recommends that users patch as soon as possible as this vulnerability is actively being exploited and to also avoid using Java serialization or limit the number of objects available to be deserialized by going into the objectInputStream and overriding the resolveclass method.

Please reference the list of patches below to determine which patch is appropriate for your application:

For more information, please contact VUIT Security Operations at vuit.incident.response@vanderbilt.edu.

Sources and References:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://isc.sans.edu/forums/diary/Oracle+WebLogic+Server+CVE20154852+patched/20369/
http://fishbowl.pastiche.org/2015/11/09/java_serialization_bug/