There is a huge security vulnerability in the Apache Commons Collections Library that allows remote code execution through a vulnerability in object deserialization. The concerns are detailed here:
Is it possible to determine if these Jar files exist on monitored Java tiers? I am being asked to help identify these vulnerable classes and Jar files in order to fix the issue quickly.
This is a critical Security vulnerability, and any help on this issue would be greatly appreciated.
I read the blog post when it was published and though I did not do a proof-of-concept yet (maybe I might find some time someday ...) my understanding is that you're basically looking for occurrences of the InvokerTransformer class.
so here's what I think you could do:
that's just the first approach that comes to my mind, you could potentially also find other methods to instrument.
Hey Christian and Saanjeith,
Thanks for the feedback. I will definitely place a sensor on this InvokerTransformer class and see if it comes up in the deployed sensor table. Also, I will look forward to hearing from Nish and Alex on finding the Jar files.
Im not sure. To give you the usecase, and @Alex Soto correct me if im wrong here, I tried searching for this in the class browser but couldnt see it. However for Alex's RBC we looked for the specific EAR file name and then searched if it was loaded or not that was a PMI/JMX metric that we were looking for. If a dev can tell us that is it a exposed mbean then we can see if it has been executed however we didnt search if a particular class has been loaded. I assume we should be able to see in the class browser for that invokertransformer class?