Re: [cross-project-issues-dev] Question on commons-collectionsdependenci

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] Question on commons-collectionsdependencies

From: "Carl Anderson" <ccc@xxxxxxxxxx>
Date: Mon, 16 Nov 2015 23:09:37 -0500
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>

Folks,

First, org.apache.commons.collections is in Orbit, so there may be other teams affected by this possible exploit. We're working to get the "fixed" version - 3.2.2 - into Orbit. Second, WTP is in the process of determining how to handle this issue- you can follow https://bugs.eclipse.org/bugs/show_bug.cgi?id=482134 if you want to see how we decide to proceed.
Part of the issue is that any adopter that extends Dali has the potential to deserialize persisted objects- we can't control what adopters do... but we can reduce/eliminate the possibility that a security hole can be exploited.

FWIW,

- Carl Anderson
WTP Releng project lead

Rob Stryker ---11/16/2015 05:17:37 PM---Hi All: You may have seen the recent news about deserializing random streams via

From: Rob Stryker <rstryker@xxxxxxxxxx>
To: cross-project-issues-dev@xxxxxxxxxxx
Date: 11/16/2015 05:17 PM
Subject: [cross-project-issues-dev] Question on commons-collections dependencies
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx

Hi All: You may have seen the recent news about deserializing random streams via commons-collections [1] and how this can lead to remote exploits. While it seems pretty unlikely that eclipse is vulnerable to this, it's worth noting that commons-collections is a requirement of org.eclipse.jpt.jpa, and possibly other bundles in various distributions. I may be misunderstanding the issue, but as I understand it, simply having the jar on the classpath isn't enough to exploit. Instead, you must actually be either 1) using the library to deserialize some persisted (untrusted) java object, or 2) be exposing ports and accepting arbitrary serialized data and then deserializing it. So the question is, do any eclipse distributions (classic, jee, etc) have any reason to open ports and accept remote connections and blindly deserialize the data? - Rob Stryker [1]http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visithttps://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev

Follow-Ups:
- Re: [cross-project-issues-dev] Question on commons-collectionsdependencies
  - From: Christian Campo

References:
- [cross-project-issues-dev] JDK 9 Early Access with Project Jigsaw
  - From: Wayne Beaton
- [cross-project-issues-dev] Question on commons-collections dependencies
  - From: Rob Stryker

Prev by Date: Re: [cross-project-issues-dev] [science-iwg] Facebook Open Academy for Winter 2016
Next by Date: Re: [cross-project-issues-dev] Question on commons-collectionsdependencies
Previous by thread: [cross-project-issues-dev] Question on commons-collections dependencies
Next by thread: Re: [cross-project-issues-dev] Question on commons-collectionsdependencies
Index(es):
- Date
- Thread

Breadcrumbs