You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rene Moser <ma...@renemoser.net> on 2015/11/10 15:07:05 UTC
cloudstack vulnerable by COLLECTIONS-580?
Hi
This security issue came to my attention:
https://issues.apache.org/jira/browse/COLLECTIONS-580
See
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
for more background information.
I am not sure if cloudstack is affected, at least we have dependency to
this vulnerable lib:
$ grep -Rl InvokerTransformer .
./plugins/hypervisors/kvm/target/dependencies/commons-collections-3.2.1.jar
./client/target/cloud-client-ui-4.5.2.war
./client/target/cloud-client-ui-4.5.2/WEB-INF/lib/commons-collections-3.2.1.jar
./usage/target/dependencies/commons-collections-3.2.1.jar
./agent/target/dependencies/commons-collections-3.2.jar
./engine/service/target/engine/WEB-INF/lib/commons-collections-3.2.jar
Thanks for clarification.
Yours
René
Re: cloudstack vulnerable by COLLECTIONS-580?
Posted by John Kinsella <jl...@stratosec.co>.
Thanks for sending this, Rene. In the future, please send issues like this to security@cloudstack.apache.org<ma...@cloudstack.apache.org>.
We’re looking things over, and will have further comments after review.
John
On Nov 10, 2015, at 6:07 AM, Rene Moser <ma...@renemoser.net>> wrote:
Hi
This security issue came to my attention:
https://issues.apache.org/jira/browse/COLLECTIONS-580
See
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
for more background information.
I am not sure if cloudstack is affected, at least we have dependency to
this vulnerable lib:
$ grep -Rl InvokerTransformer .
./plugins/hypervisors/kvm/target/dependencies/commons-collections-3.2.1.jar
./client/target/cloud-client-ui-4.5.2.war
./client/target/cloud-client-ui-4.5.2/WEB-INF/lib/commons-collections-3.2.1.jar
./usage/target/dependencies/commons-collections-3.2.1.jar
./agent/target/dependencies/commons-collections-3.2.jar
./engine/service/target/engine/WEB-INF/lib/commons-collections-3.2.jar
Thanks for clarification.
Yours
René
Re: cloudstack vulnerable by COLLECTIONS-580?
Posted by John Kinsella <jl...@stratosec.co>.
Thanks for sending this, Rene. In the future, please send issues like this to security@cloudstack.apache.org<ma...@cloudstack.apache.org>.
We’re looking things over, and will have further comments after review.
John
On Nov 10, 2015, at 6:07 AM, Rene Moser <ma...@renemoser.net>> wrote:
Hi
This security issue came to my attention:
https://issues.apache.org/jira/browse/COLLECTIONS-580
See
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
for more background information.
I am not sure if cloudstack is affected, at least we have dependency to
this vulnerable lib:
$ grep -Rl InvokerTransformer .
./plugins/hypervisors/kvm/target/dependencies/commons-collections-3.2.1.jar
./client/target/cloud-client-ui-4.5.2.war
./client/target/cloud-client-ui-4.5.2/WEB-INF/lib/commons-collections-3.2.1.jar
./usage/target/dependencies/commons-collections-3.2.1.jar
./agent/target/dependencies/commons-collections-3.2.jar
./engine/service/target/engine/WEB-INF/lib/commons-collections-3.2.jar
Thanks for clarification.
Yours
René