Skip to content
This repository has been archived by the owner on Jan 3, 2019. It is now read-only.

Upgrade Apache Commons Collections to v3.2.2 #31

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jart
Copy link

@jart jart commented Mar 5, 2016

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Also, do consider using Guava in the future.

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
@barmintor
Copy link
Member

@jart thanks for the PR! This codebase is EOL'd, but the available committers are discussing the issue. Can I ask whether you identified the project based on the dependency alone, a combination of dependencies, or a demonstration exploit? I don't see any active uses of ObjectInputStream (though there is an instance in a dead method), but maybe the SOAP bindings?

@jart
Copy link
Author

jart commented Mar 5, 2016

I identified this project by searching for pom.xml files with the insecure version. I've submitted the same pull request to twenty-two other projects.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants