On Tue, Nov 10, 2015 at 10:51 AM, Mark Thomas <ma...@apache.org> > You only need a CVE ID if there is a vulnerability. > > I would argue (and the OPs appear to agree with me) that this is NOT a > vulnerability in Apache Commons Collections. The vulnerability lies in > applications that are blindly deserializing data from an untrusted > source. Given the nature of Java deserialization, that is somewhere on > the scale between foolish and reckless. > > Commons is taking action to reduce the risk to developers if they do > deserialize untrusted data but that doesn't change the fact that the > root cause / vulnerability is the deserialization of untrusted data, not > what Commons Collections then does with it.
I won't argue on that. Fact is, there are such applications out there (as of yet, we are aware of Jenkings, OpenNMS, WebSphere, JBoss, and WebLogic [1], but the list is most likely incomplete, and there are unidentified applications), and there is a vulnerability.Hence the need for an identifier. Jochen 1: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org