"I guarantee you that there are now a bunch of people who are combing through all the most common components looking for serializable classes that allow for some sort of command execution," Mayhew said. "These are probably both good and bad guys."
Even in the context of Apache Commons Collections, InvokerTransformer might not be the only vulnerable class, according to discussions on the component's bug tracker. There are three others that have been singled out as candidates for having the same problem.
The FoxGlove Security researchers searched the public software projects hosted on GitHub for use of "commons-collection" and found 1,300 results. However, there are likely thousands more custom-built Java applications in enterprise environments that use the library.
Even though there's a strong possibility that this problem goes beyond this particular component, until a patch is released, developers should consider whether they can remove commons-collections from the classpath or remove the InvokerTransformer class from the common-collections jar file. Such changes should be considered carefully, as they could break applications.
Sign up for CIO Asia eNewsletters.