Waratek resolution of Apache Commons Collections Component

By November 13, 2015 August 1st, 2018 Blog

So what’s the fuss?

A flaw in a popular Java library was discovered more than nine months ago, but continues to put thousands of Java applications and servers at risk of remote code execution attacks.

The flaw is located in Apache Commons, a library that contains a widely used set of Java components maintained by the Apache Software Foundation. The library is used by default in multiple Java application servers and other products including Oracle WebLogic, IBM WebSphere, JBoss, Jenkins and OpenNMS.

The security implications of deserialization have been known for a number of years. OWASP refers to this kind of vulnerability as “deserialization of untrusted data.” In a nutshell, security vulnerabilities may occur when software developers assume that serialized data can be trusted and is well-formed.

Sonatype report ‘True State of Open Source Security 2014identified that:

  • Applications are the Number 1 attack vector leading to breaches
  • 90% of a typical application is assembled with open source components
  • 44 million vulnerable open source components downloaded last year

Remain exposed for how long?

On 6th November Foxglove security raised the awareness of this vulnerability and advised that the fix necessary is to‘manually fix the library by hand by removing class files that are leveraged by the exploit from the Jar file’.

As of today (12th Nov 2015) this vulnerability Apache Commons Collections Component remains un-patched by the Apache Foundation.

So how long is this going to take to go through all of your applications and either manually fix, or provide a patch once it is available? And what about your legacy applications?

A recent survey at the Gartner Security and Risk Management Summit showed that ‘Most Enterprises Don’t Fix 60 Percent of Security Vulnerabilities’ with 50 percent of respondents reported that it takes their organization three months (23%) or more (27%) to fix security flaws in their applications.

Who is at risk?

Lucian Constantin wrote in Computerworld:

The FoxGlove Security researchers searched the public software projects hosted on GitHub for use of “commons-collection” and found 1,300 results. However, there are likely thousands more custom-built Java applications in enterprise environments that use the library.

Even though there’s a strong possibility that this problem goes beyond this particular component, until a patch is released, developers should consider whether they can remove commons-collections from the classpath or remove the InvokerTransformer class from the common-collections jar file. Such changes should be considered carefully, as they could break applications.

Current security measures

Alex Blewitt wrote on InfoQ: Unfortunately these vulnerabilities cannot be effectively protected against in an easy way. As well as being applicable to large numbers of Java applications (using or having Groovy on the class path, or Spring 4.x or Apache Commons Collections 3.x or 4.x), there is no easy way to prevent Object serialization from being used in a JVM, since it is used by potentially many Java operations.

So how can you improve the security of your Enterprise?

If you’ve been following Waratek then you will understand what RASP is and why Gartner have identified this as a ‘Must Have Emerging Technology’. Waratek is unique in that it provides Runtime Application Self Protection (RASP) by Virtualization. Why is this important? Because Waratek has full contextual awareness of an application and a simple rule can identify an unknown vulnerability with certainty, with no code changes required.

What can you do using Waratek today


  • Impact Reduction: immediately reduce the severity of this vulnerability from high (CVSS 7 – 10) to medium (4.0 – 6.9). This protects your Enterprise from not just this vulnerability, but also other unidentified or zero day attacks.
  • Virtual Patch: apply a specific rule to virtually patch
  • SIEM data: Waratek provides SIEM information to identify at-risk applications identifying when/if an application loads the vulnerable class. This can identify high-risk vulnerable applications that are actively loading the vulnerable code and can identify details of the attacker

Within hours Waratek’s customers had received both an Impact Reduction Rule and Virtual Patch Rule for remediating this vulnerability with no application restart, no source code change and no binary patching.

NO other form of security offers all of this.

Don’t just listen to us, find out what others had to say!

If you’d like to find out how Waratek can FIX known and unknown vulnerabilities WITHOUT touching the software then contact us to find out more.


Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek