Does Spring Framework use InvokerTransformer from Apache Collections? [SPR-13675]

[spring-projects-issues]

Kamill Sokol opened SPR-13675 and commented

Yesterday announced about de-serialisation vulnerability (CVE-2015-4852):

https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

If Spring Framework use InvokerTransformer it can be vulnerable for the de-serialisation vulnerability (CVE-2015-4852).

Does Spring Framework use InvokerTransformer from Apache Commons Collection?

---

Reference URL: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html

Issue Links:

• SerializableTypeWrapper.MethodInvokeTypeProvider can be exploited for unsafe deserialization [SPR-13656] #18232 SerializableTypeWrapper.MethodInvokeTypeProvider can be exploited for unsafe deserialization

[spring-projects-issues]

Brian Martin commented

This appears to be covered in #18232.

[spring-projects-issues]

Juergen Hoeller commented

Spring Framework does not use Commons Collections in any way. If you have it on your classpath, it might just be behind another dependency that you chose, such as OpenJPA.

That said, we do have a related issue in #18232 where we've been fixing a class of ours in order to prevent misuse in such scenarios. Note that this only matters if you are exposing serialization-based endpoints to untrusted clients. Spring does not do any such exposure by default; it's rather something that your application is explicitly opting into through the use of HTTP Invoker or RMI Invoker.

Juergen

[spring-projects-issues]

Kamill Sokol commented

Thank you very much for the clarification. I quoted your comment in a related Stackoverflow question.