Credit: Matthias Kaiser, Stephen Breen with honorable mention to Chris Frohoff and Gabriel Lawrence
During the same week that you were scrambling to patch the branded vulnerability of the week, this was the vulnerability that you were actually getting owned with. The Apache Commons Collections Framework provides implementations of all of the basic data structures that any Computer Science graduate should be able to write themselves in under an hour. Not surprisingly, a ton of projects use this library instead of going through the pain and undergrad flashbacks of doing that. The one feature that they didn’t teach you in college (most liekly) is how to deserialize Java objects into remote attacker shells. Luckily, the magical world of Open Source has you covered there.
Chris Frohoff and Gabriel Lawrence developed the original techniques to exploit Java object deserialization vulnerabilities, including vulnerable applications that used passed untrusted serialized objects to the Apache Commons Collections Framework and presented their research at AppSecCali 2015. Both Matthias Kaiser and Stephen Breen identified and reported vulnerabilities where commonly used software such as Oracle WebLogic unsafely deserializing untrusted serialized objects using the Apache Commons Collections Framework.