The Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420 was first identified in 2015, but it received very little attention in the months after it was announced. Since then, it has been the source of a handful of high profile attacks, including the 2016 ransomware attacks on Baltimore’s Union Memorial Hospital and the San Francisco Municipal network. The problem is that there were numerous open source projects that still referenced insecure versions of Apache Collections, Google identified more than 2,600 projects in which this was the case.
To remedy this, a team of Google engineers initiated Operation Rosehub, where 50 engineers dedicated 20% of their work time to patch these projects.
