You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Lei Chang (JIRA)" <ji...@apache.org> on 2016/01/24 02:34:39 UTC
[jira] [Closed] (HAWQ-151) Investigate if Apache HAWQ is vulnerable
to Java remote code execution vulnerability
[ https://issues.apache.org/jira/browse/HAWQ-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lei Chang closed HAWQ-151.
--------------------------
> Investigate if Apache HAWQ is vulnerable to Java remote code execution vulnerability
> ------------------------------------------------------------------------------------
>
> Key: HAWQ-151
> URL: https://issues.apache.org/jira/browse/HAWQ-151
> Project: Apache HAWQ
> Issue Type: Task
> Components: PXF
> Reporter: C.J. Jameson
> Assignee: Shivram Mani
> Priority: Critical
> Fix For: 2.0.0-beta-incubating
>
>
> There is a remote code execution vulnerability in Apache Commons Collections. This vulnerability affects many Java applications and frameworks, so we should check if our code is also vulnerable.
> Here's the article that started the current debate about this vulnerability, including links to the original conference talk: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> Here's the ticket in Apache's JIRA: https://issues.apache.org/jira/browse/COLLECTIONS-580
> Other projects' examples of reports and workarounds:
> Jenkins has a temporary workaround and a security update is coming this Wednesday: https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
> and Spring already has a fix in version 4.2.3, to be officially released on 11/16: https://jira.spring.io/browse/SPR-13656
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)