[VELTOOLS-169] Upgrade or remove commons-collections compile dependency - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0
Fix Version/s: 3.0
Component/s: Build
Labels:
None

Description

Remove commons-collection dependency, or upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9 threat.

Old name: commons-collections:commons-collections
Current name: org.apache.commons:commons-collections4

Velocity Tools v2.0 uses commons-collections:commons-collections v3.2

commons-collections4 v4.1 includes the critical security fix ~~COLLECTIONS-580~~. Quoting from v4.1 release notes:

Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are:

CloneTransformer
ForClosure
InstantiateFactory
InstantiateTransformer
InvokerTransformer
PrototypeCloneFactory
PrototypeSerializationFactory
WhileClosure.

Attachments

Issue Links

depends upon

COLLECTIONS-580 Arbitrary remote code execution with InvokerTransformer

Closed

VELOCITY-869 Vulnerability in dependency: commons-collections:3.2.1

Closed

fixes

MRRESOURCES-116 Upgrade Apache Velocity due to vulnerability in commons-collections v3.2.1

Closed

links to

Apache Commons statement to widespread Java object de-serialisation vulnerability

Release Notes for Apache Commons v4.1

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.

(1 links to)

Activity

People

Assignee:: Claude Brisson

Reporter:: Mark Symons

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 30/Nov/15 16:33

Updated:: 10/Oct/21 20:32

Resolved:: 29/Sep/18 22:55