Hi, Thanks for sharing this article.
Based on my understanding, commons-collections has a vulnerability when unserializing Java objects so if you can inject a forged serialized object, you can trick the system. In the CAS server, we use serialization but only internally, to communicate with the ticket registries for example. We don't have any serialized Java objects as inputs. So no risk at all. Best regards, Jérôme 2015-11-09 12:37 GMT+01:00 Ian Wright <[email protected]>: > Have just seen this > > Any thoughts? > > > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
