cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Find JAR files with the Apache Commons Collections Library Security Vulnerability

eric_eiswerth
Dynatrace Advisor
Dynatrace Advisor

There is a huge security vulnerability in the Apache Commons Collections Library that allows remote code execution through a vulnerability in object deserialization. The concerns are detailed here:

http://foxglovesecurity.com/2015/11/06/what-do-web...

Is it possible to determine if these Jar files exist on monitored Java tiers? I am being asked to help identify these vulnerable classes and Jar files in order to fix the issue quickly.

This is a critical Security vulnerability, and any help on this issue would be greatly appreciated.

Thanks,

Eric

6 REPLIES 6

saanjeith_varat
Inactive

It is possible to determine if Jar files and/or Ear files are being Executed via a custom JMX command. @Nishant Rama and/or @Alex Soto have that information to their disposal IIRC.

Cheers,

Sanj

you can look for the mbean associated with this EAR file and see if it is up or not which would indicate if its been executed or not.

Hey Nish,

How do you determine which EAR or JAR file contains the vulnerable classes?

c_schwarzbauer
Dynatrace Champion
Dynatrace Champion

hi Eric,

I read the blog post when it was published and though I did not do a proof-of-concept yet (maybe I might find some time someday ...) my understanding is that you're basically looking for occurrences of the InvokerTransformer class.

so here's what I think you could do:

  • place a method sensor on the InvokerTransformer class, e.g. on the static constructor
  • then look in the agent overview -> deployed sensors for this class
  • if it's there -> you're potentially vulnerable

that's just the first approach that comes to my mind, you could potentially also find other methods to instrument.

HTH,
Christian

Hey Christian and Saanjeith,

Thanks for the feedback. I will definitely place a sensor on this InvokerTransformer class and see if it comes up in the deployed sensor table. Also, I will look forward to hearing from Nish and Alex on finding the Jar files.

Thanks,

Eric

nishant_rama
Advisor

Hi Eric,

Im not sure. To give you the usecase, and @Alex Soto correct me if im wrong here, I tried searching for this in the class browser but couldnt see it. However for Alex's RBC we looked for the specific EAR file name and then searched if it was loaded or not that was a PMI/JMX metric that we were looking for. If a dev can tell us that is it a exposed mbean then we can see if it has been executed however we didnt search if a particular class has been loaded. I assume we should be able to see in the class browser for that invokertransformer class?

Regards

Nish