You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hawq.apache.org by "C.J. Jameson (JIRA)" <ji...@apache.org> on 2015/11/12 02:39:10 UTC

[jira] [Created] (HAWQ-151) Investigate if Apache HAWQ is vulnerable to Java remote code execution vulnerability

C.J. Jameson created HAWQ-151:
---------------------------------

             Summary: Investigate if Apache HAWQ is vulnerable to Java remote code execution vulnerability
                 Key: HAWQ-151
                 URL: https://issues.apache.org/jira/browse/HAWQ-151
             Project: Apache HAWQ
          Issue Type: Task
          Components: External Tables
            Reporter: C.J. Jameson
            Assignee: Lei Chang


There is a remote code execution vulnerability in Apache Commons Collections. This vulnerability affects many Java applications and frameworks, so we should check if our code is also vulnerable.
Here's the article that started the current debate about this vulnerability, including links to the original conference talk: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Here's the ticket in Apache's JIRA: https://issues.apache.org/jira/browse/COLLECTIONS-580

Other projects' examples of reports and workarounds:
Jenkins has a temporary workaround and a security update is coming this Wednesday: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
and Spring already has a fix in version 4.2.3, to be officially released on 11/16: https://jira.spring.io/browse/SPR-13656



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)