You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "C.J. Jameson (JIRA)" <ji...@apache.org> on 2015/11/12 02:39:10 UTC
[jira] [Created] (HAWQ-151) Investigate if Apache HAWQ is
vulnerable to Java remote code execution vulnerability
C.J. Jameson created HAWQ-151:
---------------------------------
Summary: Investigate if Apache HAWQ is vulnerable to Java remote code execution vulnerability
Key: HAWQ-151
URL: https://issues.apache.org/jira/browse/HAWQ-151
Project: Apache HAWQ
Issue Type: Task
Components: External Tables
Reporter: C.J. Jameson
Assignee: Lei Chang
There is a remote code execution vulnerability in Apache Commons Collections. This vulnerability affects many Java applications and frameworks, so we should check if our code is also vulnerable.
Here's the article that started the current debate about this vulnerability, including links to the original conference talk: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Here's the ticket in Apache's JIRA: https://issues.apache.org/jira/browse/COLLECTIONS-580
Other projects' examples of reports and workarounds:
Jenkins has a temporary workaround and a security update is coming this Wednesday: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
and Spring already has a fix in version 4.2.3, to be officially released on 11/16: https://jira.spring.io/browse/SPR-13656
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)