commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Schaible <>
Subject Re: [configuration] is common-configuration affected by COLLECTIONS-580
Date Wed, 18 Nov 2015 09:03:24 GMT
Hi Joël,

Joël Traber wrote:

> Hi guys,
> I am running an application working with commons-configuration version 1.6
> I just noticed a bug in
> commons-collection.
> As the older versions (will be changed in 2.0) of commons-configuration
> are having a runtime dependency to commons-collections I am wondering if
> they are potentially affected by this bug as well? Commons-configuration
> version 1.6 uses commons-collections 3.2.1. which still contains the bug.
> (From 3.2.2. they disabled the classes by default The documentation says
> only ConfigurationConverter has a dependency to commons-collections
> (org.apache.commons.collections.ExtendedProperties;). I bet that affected
> classes by the bug are never referenced and do not run. That looks to me
> pretty much that using commons-configuration 1.6 is safe, not recommended
> but safe. Even more because it is not using any Serialization support from
> commons-collections.
> Can somebody confirm this?

It is completely pointless if commons-collections is actually using some of 
those classes or not. The vulnerability applies if your application (or your 
application server, Spring or OSGi container) uses somewhere serialization 
and a vulnerable version of commons-collections is in the classpath. If an 
attacker can manipulate the serialized stream, you're affected.

Therefore you should simply look if your final application, war, etc 
contains an old copy of commons-collections and adjust your build if it is 
the case.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message