Apache Commons logo Commons Collections

General Information

For information about reporting or asking questions about security problems, please see the security page of the Commons project.

Apache Commons Collections Security Vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Commons Collections. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Commons Collections the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Commons Collections version that you are using.

If you need help on building Commons Collections or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Collections Users mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Fixed in Apache Commons Collections 3.2.2 and 4.1

High: Remote Code Execution during object de-serialization

The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources and have the Apache Commons Collections library in their classpath and do not perform any kind of input validation.

The implemented fix can be tracked via its related issue COLLECTIONS-580:

  • 3.2.2: de-serialization of unsafe classes in the functor package will trigger an "UnsupportedOperationException" by default. In order to re-enable the previous behavior, the system property "org.apache.commons.collections.enableUnsafeSerialization" has to be set to "true".
  • 4.1: de-serialization support for unsafe classes in the functor package has been completely removed (unsafe classes do not implement Serializable anymore).

The potential exploit was first presented at AppSecCali2015 [3] on 28 January 2015 by Gabriel Lawrence and Chris Frohoff. Based on these exploits, Stephen Breen published on 06 November 2015 attack scenarios [4] for various products like WebSphere, JBoss, Jenkins, WebLogic, and OpenNMS. The Security team was not informed about these security problems prior to their publication. No CVE id was assigned for the Apache Commons Collections library, please refer to [1] or [2] for more information about the general problem with Java serialization.

Affects: 3.0 - 4.0

Related links:

  1. Vulnerability Report for Oracle Weblogic Server: CVE-2015-4852
  2. Vulnerability Report for Red Hat JBoss products: CVE-2015-7501 (Red Hat Portal)
  3. Apache Commons statement to widespread Java object de-serialisation vulnerability
  4. Presentation @ AppSecCali2015 by Lawrence and Frohoff
  5. Attack scenarios for various products by Stephen Breen

Errors and Ommissions

Please report any errors or omissions to the dev mailing list.