Last year Google employee launched an initiative to help Open Source Projects in patching critical Remote Code Execution vulnerability in a widely used Apache Commons Collections (ACC) library.
What is Apache Commons Collection Library?
Add much powerful data structure that accelerates development of Java Applications and used to build upon the JDK classes by providing new interfaces, implementations and utilities.
The Team of 50 employees, working to patch thousands of open source projects on GitHub, those were vulnerable with “Mad Gadget Vulnerability” or “Apache Commons Collections Deserialization Vulnerability”.
What is Mad Gadget Vulnerability?
“Mad Gadget Vulnerability” (CVE-2015-6420) is a remote code execution flaw bug in the Java affecting Apache Commons Collection(ACC) Library that could allow attackers to execute malicious code on a system without authentication.
Apache Common Collection Library is widely used by many applications to decode data passed between computers.
An attacker can exploit this flaw by sending maliciously crafted input into an application on the target system which is using ACC library and an attacker can send malicious input without authenticating itself. The attacker could now access the compromised system and can conduct further attacks.
Oracle, Cisco, Red Hat, VMWare, IBM, Intel, Adobe, HP, Jenkins, and SolarWinds, almost every enterprise were affected by “Apache Commons Collections Deserialization Vulnerability” or “Mad Gadget vulnerability” but now they have been patched.
Under Operation Rosehub, patches were done to many open source projects, although Google Employees were only able to patch referenced vulnerable version of ACC library on GitHub.
“We recognized that the industry best practices had failed. An action was needed to keep the open source community safe. So rather than simply posting a security advisory asking everyone to address the vulnerability, we formed a task force to update their code for them.
That initiative was called Operation Rosehub,” Justine Tunney, Software Engineer on TensorFlow, wrote on Google Open Source Blog.
Earlier, Google made their two projects “E2EMail” and “Upspin” open source.
Get more stuff like this
in your inbox
Subscribe Us And Get Latest Tech News, Hacking News, Science News, And Latest Gadgets News Directly Delivered To Your Inbox
Thank You For Subscribing. Verification Email Has Been Send To You. Please Verify !
Something Went Wrong.