CVE-2016-1000031: Apache Commons FileUpload Deserialization RCE

Critical Vulnerability Information CVE ID: CVE-2016-1000031 Vulnerability Name: Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution Component: Commons FileUpload Priority: Critical Affected Versions: 1.3.2 Fixed Versions: 1.3.3 Status: Closed Resolution: Fixed Description Summary: A Java object within the Apache Commons FileUpload library can be manipulated such that, when deserialized, it allows writing or copying files to arbitrary locations on disk. Additionally, this object can be used independently or in conjunction with ysoserial to upload and execute binary files within a single deserialization call. The exploitability depends on how the application implements the FileUpload library. Background: At the end of 2015, FoxGlove Security published an article detailing how to achieve remote code execution on various commercial products using Chris Frohoff’s ysoserial tool, based on a presentation from AppSec Cali in January 2015. The ysoserial tool leverages "gadgets" to perform "unintended" operations within Apache Commons Collections, Groovy, and Spring, ultimately executing Runtime.getRuntime().exec() to enable remote Java code execution. The DiskFileItem class in the FileUpload library is serializable and implements custom writeObject() and readObject() methods, making it susceptible to exploitation. Related Links: http://www.tenable.com/security/research/tra-2016-12

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2016-1000031: Apache Commons FileUpload Deserialization RCE