F5 Networks BIG-IP : Java commons-collections library vulnerability (K30518307)

high Nessus Plugin ID 87432

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

CVE-2015-4852 Java applications that have an endpoint that accepts serialized Java objects, an attacker can combine serializable collections to create arbitrary remote code execution. Based on the FoxGlove, an attack can be done via RMI or HTTP. The vulnerability is actually in InvokerTransformer class. If class path exists for commons-collections or commons-collections4, the vulnerability exits in the application.

Apache Collections-580 - Arbitrary remote code execution with InvokerTransformer With InvokerTransformer, serializable collections can be build that execute arbitrary Java code.
sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection. If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, ...) you can combine the two to create arbitrary remote code execution vulnerability.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K30518307.

See Also

https://issues.apache.org/jira/browse/COLLECTIONS-580

https://support.f5.com/csp/article/K30518307

Plugin Details

Severity: High

ID: 87432

File Name: f5_bigip_SOL30518307.nasl

Version: 2.21

Type: local

Published: 12/17/2015

Updated: 11/30/2021

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Critical

Score: 10

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_wan_optimization_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip, cpe:/h:f5:big-ip_protocol_security_manager

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/15/2015

Vulnerability Publication Date: 11/18/2015

CISA Known Exploited Dates: 5/3/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Oracle Weblogic Server Deserialization RCE - Raw Object)

Reference Information

CVE: CVE-2015-4852