For information about reporting or asking questions about security problems, please see the security page of the Commons project.
This page lists all security vulnerabilities fixed in released versions of Apache Commons Collections. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Commons Collections the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Commons Collections version that you are using.
If you need help on building Commons Collections or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Collections Users mailing list.
If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.
High: Remote Code Execution during object de-serialization
The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources and have the Apache Commons Collections library in their classpath and do not perform any kind of input validation.
The implemented fix can be tracked via its related issue COLLECTIONS-580:
The potential exploit was first presented at AppSecCali2015  on 28 January 2015 by Gabriel Lawrence and Chris Frohoff. Based on these exploits, Stephen Breen published on 06 November 2015 attack scenarios  for various products like WebSphere, JBoss, Jenkins, WebLogic, and OpenNMS. The Security team was not informed about these security problems prior to their publication. No CVE id was assigned for the Apache Commons Collections library, please refer to  or  for more information about the general problem with Java serialization.
Affects: 3.0 - 4.0
Please report any errors or omissions to the dev mailing list.