Showing results for 
Search instead for 
Did you mean: 

InvokerTransformer, InstantiateFactory, and InstantiateTransfromer


we have Jboss 6 webserver hosting tc application.

we get a security warning: "Red Hat JBoss EAP/Web Server Java UnSerialize Common-Collections Remote Code Execution Vulnerability"

the workaround for this is:

To resolve this specific de-serialization vulnerability, remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransfromer) in all commons-collections jar files.


One example:


Has anyone fixed this with Jboss 6.x ? if yes, how (which jars have you modified etc.) ?


Thank you.