cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9053) CloudStack is dependent upon a vulnerable version of Commons Collections
Date Wed, 18 Nov 2015 22:38:11 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15012220#comment-15012220
] 

ASF GitHub Bot commented on CLOUDSTACK-9053:
--------------------------------------------

GitHub user DaanHoogland opened a pull request:

    https://github.com/apache/cloudstack/pull/1089

    CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580

      cloustack is not vulnerable but as the classes are in they might
      be used in the future so we upgrade to prevent accidental
      vulnerabilities.
    
    integration test against master going on.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/DaanHoogland/cloudstack CLOUDSTACK-9053

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1089.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1089
    
----
commit d40d3498a6faa62fb8dc0df4d4e14b07a8363cb3
Author: Daan Hoogland <daan@onecht.net>
Date:   2015-11-18T21:54:25Z

    CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580
    
      cloustack is not vulnerable but as the classes are in they might
      be used in the future so we upgrade to prevent accidental
      vulnerabilities.

----


> CloudStack is dependent upon a vulnerable version of Commons Collections
> ------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9053
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9053
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: John Kinsella
>
> COLLECTIONS-580 was brought to our attention today. Current versions of Apache Commons
Collections contain a serialization/unserialization vulnerability which may result in remote
code execution.
> CloudStack does not seem to use the specific vulnerable class InvokerTransformer, so
in theory we could recommend pulling that class from the jars/wars, but still looking to see
what else we can do...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message