You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Stephan Ewen (JIRA)" <ji...@apache.org> on 2015/11/19 14:51:10 UTC
[jira] [Resolved] (FLINK-3005) Commons-collections object
deserialization remote command execution vulnerability
[ https://issues.apache.org/jira/browse/FLINK-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephan Ewen resolved FLINK-3005.
---------------------------------
Resolution: Fixed
Assignee: Ted Yu
Fix Version/s: 0.10.1
1.0.0
Fixed in
- 0.10.1 via 9defe0cb289bfd8c3cfc37e8895e337147e82d29
- 1.0.0 via 206120631d97898c9396d74b2450eb36af17e06a
> Commons-collections object deserialization remote command execution vulnerability
> ---------------------------------------------------------------------------------
>
> Key: FLINK-3005
> URL: https://issues.apache.org/jira/browse/FLINK-3005
> Project: Flink
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Fix For: 1.0.0, 0.10.1
>
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and process Java object serialization data, then you may have an exploitable remote command execution vulnerability.
> Brief search in code base for ObjectInputStream reveals several places where the vulnerability exists.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)