|
|
|
|
|
|
by gebl
3881 days ago
|
|
|
Its not really a problem with commons-collections and unfair to color it as their issue. Its like blaming the library that is part of a ROP chain for the exploit. The issue is what gets you in first, which is instantiating objects without any thought as to what they are from un-trusted sources. Something that is called out in the Java secure coding guidelines: http://www.oracle.com/technetwork/java/seccodeguide-139067.h... and is something that goes way back in many languages. It seems to be a vuln pattern that keeps getting repeated sadly. |
|
|
http://www.infoq.com/news/2015/11/commons-exploit