Remote Code Execution vuln in Apache Commons Collections 3.x<3.2.2 & 4.x<4.1

[c0bw3b]

Issue description

This vulnerability has been around since 2015 and was previously mentioned in security round-up #18856 (as LWN vuln #682387).

• Apache Commons Collection announce is here
• See also their blog entry

Related CVEs are CVE-2015-4852 for Oracle Weblogic and CVE-2015-7501 for JBoss.

Recently Google raised awareness that this was still an issue as commons-collections are embedded into a lot of open source products and vulnerable versions were still used. They took on GitHub to propose corrective PRs through an operation they called Operation Rosehub. As explained in this blog post.
The San Francisco Municipal Transportation Agency was hacked because of this.

How to fix

• Packages using commons-collections v3.x needs to upgrade to v3.2.2
• Packages using commons-collections v4.0 needs to upgrade to v4.1

Packages affected

• JBoss 7.1.1 : includes commons-collections 3.2.1
• Apache Mesos 1.1.0 : depends on 3.x before 3.2.2
• Chronos : already marked as broken but would be affected

[c0bw3b]

@grahamc security-related, you may want to add the appropriate label on this issue

@shlevy you seem to be the most recent maintainer to have pushed a JBoss upgrade

@cstrahan for Mesos

[shlevy]

😮 I have no idea what jboss is, but I clearly did in 2013...

[NeQuissimus]

A Java Enterprise container :)

[c0bw3b]

Yes it's a big Java thingy... :)

So JBoss won't ever be fixed because we already have the latest in 7.x branch.
To fix the issue one would have to switch to Wildfly 10.x which is the new name of the community JBoss application server.

[grahamc]

Backported to 17.03: 7e46b92, 16.09: 061bd12

[cstrahan]

Has someone fixed this in the mesos package? If not, I can take care of it.

[grahamc]

I don't think so, @cstrahan