commons-fileupload 1.3.3 resolves deserialisation vulnerability CVE-2016-1000031

CVE-2016-1000031 is a vulnerabilty in the extremely widely used Apache Commons library commons-fileupload – you might not even know you’re having it on your class path. It has a very nasty Remote Code Execution vulnerability with easy to use exploits publicly available up to version 1.3.2. What makes it even worse is that you do not even need to use the library – you only need to have it on your class path and to deserialise some data. The data is the attack vector. You can find a good in detail explanation of the vulnerability here.

It did take a while but with version 1.3.3 this vulnerability is finally closed (by default).

There is some stuff that you should know about the fix though:

The fix is that the deserialisation method will refuse to work by default. You can reopen the vulnerability by explicitly setting the system property org.apache.commons.fileupload.disk.DiskFileItem.serializable to true (in contrast to my usual spelling with an american ‘z’ in serializable). In this case the method will behave as in previous versions of commons-fileupload and thus be vulnerable again.

You will need to set this system property if you are using Java Serialisation for the class org.apache.commons.fileupload.disk.DiskFileItem. But beware if you do that, you reopen the vulnerability. In that case you will have to make sure that you fully understand the vulnerability and that it cannot be exploited in your application. That is in my opinion a rather tedious and probably error prone task which should also take software rot and similar phenomena into account.

The update is a small thing to do and is unlikely to affect most applications.  Thus my recommendation: Update now and be secure – well, at least a bit more secure. In addition it also might not be a bad idea to explicitly set the aforementioned property to false.