Re: [cross-project-issues-dev] Question on commons-collectionsdependencies

Mon, 16 Nov 2015 20:14:38 -0800 

Folks,

        First, org.apache.commons.collections is in Orbit, so there may be
other teams affected by this possible exploit.  We're working to get the
"fixed" version - 3.2.2 - into Orbit.  Second, WTP is in the process of
determining how to handle this issue- you can follow
https://bugs.eclipse.org/bugs/show_bug.cgi?id=482134 if you want to see how
we decide to proceed.
        Part of the issue is that any adopter that extends Dali has the
potential to deserialize persisted objects- we can't control what adopters
do... but we can reduce/eliminate the possibility that a security hole can
be exploited.

FWIW,

- Carl Anderson
WTP Releng project lead



From:   Rob Stryker <[email protected]>
To:     [email protected]
Date:   11/16/2015 05:17 PM
Subject:        [cross-project-issues-dev] Question on commons-collections
            dependencies
Sent by:        [email protected]



Hi All:

You may have seen the recent news about deserializing random streams via
commons-collections [1]  and how this can lead to remote exploits.
While it seems pretty unlikely that eclipse is vulnerable to this, it's
worth noting that commons-collections is a requirement of
org.eclipse.jpt.jpa, and possibly other bundles in various distributions.

I may be misunderstanding the issue, but as I understand it, simply
having the jar on the classpath isn't enough to exploit. Instead, you
must actually be either 1) using the library to deserialize some
persisted (untrusted) java object, or 2) be exposing ports and accepting
arbitrary serialized data and then deserializing it.

So the question is, do any eclipse distributions  (classic,  jee, etc)
have any reason to open ports and accept remote connections and blindly
deserialize the data?

- Rob Stryker

[1]
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/



_______________________________________________
cross-project-issues-dev mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev



_______________________________________________
cross-project-issues-dev mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev

Reply via email to