You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Justin Bertram (JIRA)" <ji...@apache.org> on 2017/10/26 15:16:00 UTC

[jira] [Commented] (ARTEMIS-1483) Upgrade beanutils to fix CVE 2015-6420

    [ https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220607#comment-16220607 ] 

Justin Bertram commented on ARTEMIS-1483:
-----------------------------------------

I don't have any problem in general with changing the dependency, but just so I understand the issue a bit more can you clarify where this is actually a problem?  If I run {{mvn dependency:tree | grep commons-collections}} from the root of the project I only see version 3.2.2 being used.

Also, since you're familiar with this Maven plugin it would be awesome if you could send a PR and maybe add something to the [Hacking Guide|https://github.com/apache/activemq-artemis/tree/master/docs/hacking-guide/en] about the best way to run it and inspect the report(s).

> Upgrade beanutils to fix CVE 2015-6420
> --------------------------------------
>
>                 Key: ARTEMIS-1483
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1483
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>            Reporter: Mike Hearn
>            Assignee: Justin Bertram
>
> In ARTEMIS-309 the version of Apache Commons Collections was upgraded to 3.2.2 however, this fix was not sufficient because ACC is also pulled in via Apache BeanUtils. This is a potential problem because it is enough for the bad library to anywhere on the classpath, so whether Artemis is vulnerable or not may depend on the vagaries of classpath ordering (if both versions somehow end up in the distribution by mistake).
> BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the CVE. If Artemis upgrades to BeanUtils 1.9.3 the problem is resolved.
> We noticed this in our project using the OWASP Dependency Scanner:
> https://www.owasp.org/index.php/OWASP_Dependency_Check
> It'd be a great thing for you guys to start using this wonderful plugin too. The reports it generates are excellent.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)