Title: Apache Commons Collections: Remote code execution ([glsa=202107-37]GLSA 202107-37[/glsa])
Severity: normal
Exploitable: remote
Date: 2021-07-16
Bug(s): #739348
ID: 202107-37
Synopsis
Apache Commons Collections unsafely deserializes untrusted input,
potentially resulting in arbitrary code execution.
Background
Apache Commons Collections extends the JCF classes with new interfaces,
implementations and utilities.
Affected Packages
Package: dev-java/commons-collections
Vulnerable: < 3.2.2
Unaffected: >= 3.2.2
Architectures: All supported architectures
Description
Some classes in the Apache Commons Collections functor package
deserialized potentially untrusted input by default.
Impact
Deserializing untrusted input using Apache Commons Collections could
result in remote code execution.
Workaround
There is no known workaround at this time.
Resolution
All Apache Commons Collections users should upgrade to the latest
version:
Code: Select all
# emerge --sync
# emerge --ask --oneshot --verbose
">=dev-java/commons-collections-3.2.2"
References
CVE-2017-15708