The best protection against this, is to avoid using a complex serialization protocol with untrusted peers. It is possible to limit the impact when using a custom ObjectInputStream which overrides resolveClass to implement a whitelist approach http://www.ibm.com/developerworks/library/se-lookahead/. This might however not always be possible, such as when a framework or application server provides the endpoint. This is rather bad news, as there is no easy fix and applications need to revisit their client-server protocols and overall architecture.
In these rather unfortunate situations, people have looked at the sample exploits. Frohoff provided “gadget chains” in sample payloads which combine classes from the Groovy runtime, Spring framework or Apache Commons Collection. It is quite certain that you can combine more classes to exploit this weakness, but those are the chains readily available to attackers today.
Even when the classes implementing a certain functionality cannot be blamed for this vulnerability, and fixing the known cases will also not make the usage of serialization in an untrusted context safe, there is still demand to fix at least the known cases, even when this will only start a Whack-a-Mole game. In fact, it is for this reason the original team did not think it is necessary to alert the Apache Commons team, hence work has begun relatively late. The Apache Commons team is using the ticket COLLECTION-580 (link) to address the issue in the 3.2 and 4.0 branches of commons-collection by disabling de-serialization of the class InvokerTransformer. A to-do item being discussed is whether to provide programmatic enabling of the feature on a per-transformer basis.
There is some precedence for this, the class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl which is part of Oracle and OpenJDK JREs and which allows to inject and run bytecode, does reject deserialization if a security manager is defined. This can be turned off with the system property jdk.xml.enableTemplatesImplDeserialization=true. Apache Commons Collection plans to disable this functionality independent of the existence of a security manager, as this execution model is less commonly used than it should.
However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability.
We want to thank Gabriel Lawrence for reviewing this blog post.
Apache Commons Collection is a Java library offering additional collection classes in addition to the Java Collection framework. The InvokerTransformer is one specific implementation of the Transformer functional interface which can be used to transform objects in a collection (specifically by calling a method via reflection invocation).
