You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "C.J. Jameson (JIRA)" <ji...@apache.org> on 2015/11/12 02:39:10 UTC
[jira] [Updated] (HAWQ-151) Investigate if Apache HAWQ is
vulnerable to Java remote code execution vulnerability
[ https://issues.apache.org/jira/browse/HAWQ-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
C.J. Jameson updated HAWQ-151:
------------------------------
Priority: Critical (was: Major)
> Investigate if Apache HAWQ is vulnerable to Java remote code execution vulnerability
> ------------------------------------------------------------------------------------
>
> Key: HAWQ-151
> URL: https://issues.apache.org/jira/browse/HAWQ-151
> Project: Apache HAWQ
> Issue Type: Task
> Components: External Tables
> Reporter: C.J. Jameson
> Assignee: Lei Chang
> Priority: Critical
>
> There is a remote code execution vulnerability in Apache Commons Collections. This vulnerability affects many Java applications and frameworks, so we should check if our code is also vulnerable.
> Here's the article that started the current debate about this vulnerability, including links to the original conference talk: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> Here's the ticket in Apache's JIRA: https://issues.apache.org/jira/browse/COLLECTIONS-580
> Other projects' examples of reports and workarounds:
> Jenkins has a temporary workaround and a security update is coming this Wednesday: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
> and Spring already has a fix in version 4.2.3, to be officially released on 11/16: https://jira.spring.io/browse/SPR-13656
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)