undefined | Better HN

0 pointsgebl10y ago0 comments

Its not really a problem with commons-collections and unfair to color it as their issue. Its like blaming the library that is part of a ROP chain for the exploit. The issue is what gets you in first, which is instantiating objects without any thought as to what they are from un-trusted sources.

Something that is called out in the Java secure coding guidelines:

http://www.oracle.com/technetwork/java/seccodeguide-139067.h...

and is something that goes way back in many languages. It seems to be a vuln pattern that keeps getting repeated sadly.

0 comments

alblue10y ago

It's also not specific to Commons Collections - the same escape is available through Spring and Groovy as well.

http://www.infoq.com/news/2015/11/commons-exploit

j / k navigate · click thread line to collapse