Usage of vulnerable Apache Commons Collections InvokeTransformer class

• Rule ID: java_lang_apache_commons_collection
• Languages: java
• Source: apache_commons_collection.yml

Description

The InvokeTransformer class in versions of Apache Commons Collections older than 3.2.2 is susceptible to remote code execution vulnerabilities. This issue arises during the deserialization of data, where malicious actors can execute arbitrary code on the server.

Remediations

• Do upgrade Apache Commons Collections 3 to version 3.2.2 or above to mitigate the vulnerability associated with the InvokeTransformer class.

  <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-collections4</artifactId>
      <version>3.2.2</version>
  </dependency>

References

• Apache Commons Collections 3.2.2 Security Report

Associated CWE

• CWE-1395: Dependency on Vulnerable Third-Party Component

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_apache_commons_collection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_apache_commons_collection