# CAS Vulnerability DisclosureFriday, Apr 8, 201610 minute read# RememberThis post is **NOT** new. I am just collecting it here so it’s publicly available. This was originally published as a secret gist on Github in April 2016.# OverviewThis is an Apereo CAS project vulnerability disclosure, describing an issue in CAS’s attempts to deserialize objects via the Apache Commons Collections library.# Affected DeploymentsThe attack vector specifically applies to all deployments of CAS `v4.1.x` and `v4.2.x` deployments where the out-of-the-box default configuration of CAS is used for managing object serialization, encryption and signing of data.You are **NOT** affected by this issue, if:- You have deployed a different CAS version, lower than `v4.1.0`.- You have deployed CAS `v4.1.x` or `v4.2.x`, **BUT** you have removed the default CAS configuration for encryption/signing and have regenerated the appropriate settings for your own deployment.Exploiting the vulnerability hinges on getting the JVM to de-serialize Java objects from arbitrary serialized data. If the above conditions describe your deployment, we **STRONGLY** recommend that you take necessary action to patch your deployment based on the below instructions.# SeverityThis is a very serious issue where successfully exercising this vulnerability allows the adversary to inject arbitrary code. This disclosure is about a specific exploit path involving a bugged version of Apache Commons Collections. This exploit path is only an instance of a larger JVM Java object deserialization security concern.# PatchingPatch releases are now available to address CAS `v4.1.x` and `v4.2.x` deployments. Upgrades to the next patch version for each release should be a drop-in replacement, with some effort to appropriately reconfigure CAS encryption/signing settings via the `cas.properties` file.