Solved: Zero-Day exploit at Java lib Common Collections

nthsol · ‎11-17-2015

Hi Gurus,

I found the a post stating there is a Zero-Day exploit in the common collections function InvokerTransformer. Found by Gabriel Lawrence and Chris Frohoff shown in their presentation.
http://de.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles

Until now I have found no SAP Security Notes relating to this and stating a possible solution or how if there are any tools affected.

Did anyone find any document related to this?

Edit: There was already an other post to this topic ->

Kind regards,

Niklas

nthsol · ‎12-04-2015

Hey everybody,

I wanted to give you an update on this.

After contacting SAP I go the answer that both SAP ABAP and SAP JAVA do not use this library.

I could confirm this after I have done the search for the vulnerable library.

Please remember that this is not a official statement, that you may not be affected. This is just a hint that we seem to be quite safe using SAP.

In case you want to know if you are affected please open an OSS message at SAP.

Regards,

Niklas

nthsol · ‎12-04-2015

Hey everybody,

I wanted to give you an update on this.

After contacting SAP I go the answer that both SAP ABAP and SAP JAVA do not use this library.

I could confirm this after I have done the search for the vulnerable library.

Please remember that this is not a official statement, that you may not be affected. This is just a hint that we seem to be quite safe using SAP.

In case you want to know if you are affected please open an OSS message at SAP.

Regards,

Niklas