cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: cloudstack vulnerable by COLLECTIONS-580?
Date Tue, 10 Nov 2015 19:32:05 GMT
Thanks for sending this, Rene. In the future, please send issues like this to security@cloudstack.apache.org<mailto:security@cloudstack.apache.org>.

We’re looking things over, and will have further comments after review.

John

On Nov 10, 2015, at 6:07 AM, Rene Moser <mail@renemoser.net<mailto:mail@renemoser.net>>
wrote:

Hi

This security issue came to my attention:
https://issues.apache.org/jira/browse/COLLECTIONS-580

See
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
for more background information.

I am not sure if cloudstack is affected, at least we have dependency to
this vulnerable lib:

$ grep -Rl InvokerTransformer .
./plugins/hypervisors/kvm/target/dependencies/commons-collections-3.2.1.jar
./client/target/cloud-client-ui-4.5.2.war
./client/target/cloud-client-ui-4.5.2/WEB-INF/lib/commons-collections-3.2.1.jar
./usage/target/dependencies/commons-collections-3.2.1.jar
./agent/target/dependencies/commons-collections-3.2.jar
./engine/service/target/engine/WEB-INF/lib/commons-collections-3.2.jar

Thanks for clarification.

Yours
René

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message