cancel
Showing results for 
Search instead for 
Did you mean: 

InvokerTransformer, InstantiateFactory, and InstantiateTransfromer

Experimenter
Experimenter

we have Jboss 6 webserver hosting tc application.

we get a security warning: "Red Hat JBoss EAP/Web Server Java UnSerialize Common-Collections Remote Code Execution Vulnerability"

the workaround for this is:

To resolve this specific de-serialization vulnerability, remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransfromer) in all commons-collections jar files.

 

One example:

 

Has anyone fixed this with Jboss 6.x ? if yes, how (which jars have you modified etc.) ?

 

Thank you.