Thank you for responding, Matthew.
However, the problem depicted there is that it doesn't matter whether you're are serialzing/deserializing objects in runtime, having the JAR in the classpath is enough to get this exploitation on the job. Currently, m2e seems to be packaging this JAR in org.eclipse.m2e.archetype.common for both 1.4 and 1.5.
For 4.x version, they are still working on it AFAIK.
With that being said. Does this sound convincing enough to fix it in m2e? Even better, should I open a bugzilla to track this?
Thanks again.
----- Original message -----
From: Matthew Piggott <mpiggott@xxxxxxxxxxxx>
Sent by: m2e-users-bounces@xxxxxxxxxxx
To: Maven Integration for Eclipse users mailing list <m2e-users@xxxxxxxxxxx>
Cc:
Subject: Re: [m2e-users] Vulnerability problem found in M2E
Date: Tue, Nov 17, 2015 3:12 PM
It seems unlikely m2e is affected by it.
Its been a while but I don't recall m2e using class serialization internally. The bundle suggests the archetypes, I don't know if the maven archetypes use object serialization but since they can already result in arbitrary code being run on your system (via the generated pom) it doesn't seem an attack source.
On 17 November 2015 at 16:05, Victor Adrian Sosa Herrera <victorsh@xxxxxxxxxxx> wrote:
Hello Community.
Throwing again this question to the table. Will this problem be fixed by m2e team?
Thanks
----- Original message -----
From: Victor Adrian Sosa Herrera/Mexico/IBM
To: m2e-users@xxxxxxxxxxx
Cc:
Subject: Vulnerability problem found in M2E
Date: Mon, Nov 16, 2015 1:39 PM
Hello community.
The fix is on its way and tracked under this JIRA
Now, I've been digging this a little bit and found that one M2E plugin is bundling this commons-collections.jar archive, at least on Eclipse Luna. Doing a quick search in the Eclipse installation I found this
org.eclipse.m2e.archetype.common_1.5.0.20140605-2032/commons-collections-3.2.jar
Do you have any plans to patch this plugin with the updated library (once available)?