[WHISKER-15] Upgrade Apache Commons Collections to v3.2.2 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.2
Fix Version/s: 0.2
Labels:
None

Description

Motivated by ~~RAT-213~~ we should upgrade Whisker as well.
Tentacles does not seem to use commons-collections as of now.

Context

Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Attachments

Issue Links

relates to

RAT-213 Upgrade Apache Commons Collections to v3.2.2

Closed

Activity

People

Assignee:: Philipp Ottlinger

Reporter:: Philipp Ottlinger

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 13/Mar/16 20:17

Updated:: 29/Jan/24 22:18

Resolved:: 13/Mar/16 20:49