[TAVERNA-934] Security fix: Upgrade Commons Collections - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Done
Priority: Critical
Resolution: Done
Affects Version/s: None
Fix Version/s: language 0.16.0, server 3.1.0, parent 3
Component/s: Taverna Language, Taverna Maven Parent, Taverna Server
Labels:
- security

Flags:

Important

Description

As raised by Glenn Lewis in
https://github.com/apache/incubator-taverna-server/pull/1
we use a Commons Collections 3.2.1 which has a CVSS 10.0 remote code execution vulnerability.

This affects anyone who has Commons Collection on the classpath - basically through Maven dependencies at would mean also anyone who has the Taverna SCUFL2 API on the classpath.

This does not affect just Taverna Server - but also indirectly as Commons Collection is also a transitive dependency, e.g. from commons-beanutils:

[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:test
[INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.1:test

Thus we should update taverna-maven-parent - perhaps to have a <dependencyManagement> section - to force a newer version of commons-collections across the board.

Attachments

Activity

People

Assignee:: Stian Soiland-Reyes

Reporter:: Stian Soiland-Reyes

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 10/Mar/16 10:44

Updated:: 08/Jan/18 13:26

Resolved:: 08/Jan/18 13:24