Determining if your application uses the Apache Commons InvokerTransformer and vulnerable to CVE-2015-7450
rdweiss 120000FP30 Visits (17071)
In December 2015, we published Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450). As detailed in the bulletin, an Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server (WAS) and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0.
The Apache Commons Collections vulnerability (CVE-2015-7450) is very high risk (CVSS score of 9.8) and it is critical that clients take action to address. The vulnerability is specifically in the deserialization of a Java object using the Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. Any product or application that uses Apache Commons code could be affected by this vulnerability. Like most Java application servers, WebS
Method 1 - Class loading traces
The "MustGather: Classloader problems for WebSphere Application Server" contains the instructions for collecting class loading traces. The "gathering data manually" section contains the appropriate trace string and how to enable verbose class loading in WebSphere. After collecting the classloader trace, search for the “Inv
Method 2 – Using the Java Xtrace option
Below is the –Xtrace syntax to use to dump a stack trace when any method of InvokerTransformer is invoked:
Add the -Xtrace option as a Generic JVM Argument and restart the server. See "Setting generic JVM arguments in WebSphere Application Server."
What if my application makes use of the InvokerTransformer class?
Using this JVM argument bypasses the fix, so the vulnerability would still be present. IBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.
Also, it is important to note that applications may bundle Apache Commons Collections libraries separately from what ships with WebSphere Application Server. While it is still recommended to apply APAR PI52103 to patch WebSphere Application Server, additional patches of the Apache code would need to be done by the application developers by updating their custom libraries with the fixes supplied by Apache.