Uploaded image for project: 'Velocity Tools'
  1. Velocity Tools
  2. VELTOOLS-169

Upgrade or remove commons-collections compile dependency

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.0
    • 3.0
    • Build
    • None

    Description

      Remove commons-collection dependency, or upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9 threat.

      Old name: commons-collections:commons-collections
      Current name: org.apache.commons:commons-collections4

      Velocity Tools v2.0 uses commons-collections:commons-collections v3.2

      commons-collections4 v4.1 includes the critical security fix COLLECTIONS-580. Quoting from v4.1 release notes:

      Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are:

      CloneTransformer
      ForClosure
      InstantiateFactory
      InstantiateTransformer
      InvokerTransformer
      PrototypeCloneFactory
      PrototypeSerializationFactory
      WhileClosure.

      Attachments

        Issue Links

        depends upon

        Bug - A problem which impairs or prevents the functions of the product. COLLECTIONS-580 Arbitrary remote code execution with InvokerTransformer

        • Major - Major loss of function.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. VELOCITY-869 Vulnerability in dependency: commons-collections:3.2.1

        • Major - Major loss of function.
        • Closed
        fixes

        Dependency upgrade - Upgrading a dependency to a newer version MRRESOURCES-116 Upgrade Apache Velocity due to vulnerability in commons-collections v3.2.1

        • Major - Major loss of function.
        • Closed
        links to

        Web Link Apache Commons statement to widespread Java object de-serialisation vulnerability

        Web Link Release Notes for Apache Commons v4.1

        Web Link What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            cbrisson Claude Brisson
            marks Mark Symons
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment