There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of the FileUpload library. External References: http://www.tenable.com/security/research/tra-2016-12
We agree with Apache's assessment that this does not represent a valid vulnerability in the Commons File Upload library. We have previously written about Java deserialization flaws in a Security Blog post, and encourage anyone interested in this flaw to read more our stance here: https://access.redhat.com/blogs/766093/posts/2361811 We encourage customers developing applications in Java to assess their use of Java serialization, to ensure they add authentication, and authorization to endpoints which accept data for deserialization. If that application accepts untrusted data for deserialization, and the Commons File Upload library is available on the classpath, it could be exposed to this issue. We consider the vulnerability to be with deseriazliation of untrusted data.