You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by venkatesham nalla <v_...@hotmail.com> on 2015/12/15 16:34:29 UTC

Commons Collections Vulnerability

Hi,


Is there a security advisory for CXF related to commons-collections security vulnerability. All the versions of CXF including 2.7.18, 3.0.7 and 3.1.4 are using commons-collections-3.2.1.jar, will it be fixed in next release or can we just download the commons-collections-3.2.2.jar and replace commons-collections-3.2.1.jar?


thanks,

Venkat

Re: Commons Collections Vulnerability

Posted by Moritz Bechler <be...@agno3.eu>.

Hi,

> 
> 
> Is there a security advisory for CXF related to commons-collections security vulnerability. All the versions of CXF including 2.7.18, 3.0.7 and 3.1.4 are using commons-collections-3.2.1.jar, will it be fixed in next release or can we just download the commons-collections-3.2.2.jar and replace commons-collections-3.2.1.jar?
> 
> 

Having that on the classpath alone is not really a vulnerabiltiy. The
real vulnerability is using (unsafe) deserialization on untrusted input.
You can be pretty much sure that just replacing the commons-collections
JAR will still leave you vulnerable in a typical java project (if you or
any of your libraries perform such deserialization).

Having said that, collections 3.2.2 should be a drop-in replacement (as
opposed to 4.0->4.1).

Quickly grepping through the CXF code, there actually seems to be a
vulnerability when using Aegis with serialization enabled. Don't know
how common that is.


Moritz


-- 
AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731
Persönlich haftend:
Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820,
Vertreten durch Joachim Keltsch