Oops, I got distracted while typing originally, and didnt spot Justin already said the same thing by the time I actually hit send. Oh well :)
On Wed, 21 Aug 2024 at 17:07, Robbie Gemmell <robbie.gemm...@gmail.com> wrote: > > Most of the uses in the codebase are transitive, from others commons > dependencies, so you would need to check that we don't use the bits of > those dependencies that require it and then specifically exclude it, > otherwise you won't actually be able to get rid of it. > > On Wed, 21 Aug 2024 at 16:18, Justin Bertram <jbert...@apache.org> wrote: > > > > The ActiveMQ Artemis code-base doesn't use > > org.apache.commons.collections.list.SetUniqueList so this problem doesn't > > apply. > > > > That said, moving to commons-collections4 is a good idea. I've opened > > ARTEMIS-5006 [1] for this. > > > > > > Justin > > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-5006 > > > > On Wed, Aug 21, 2024 at 9:17 AM <apa...@materne.de> wrote: > > > > > Hello, > > > > > > > > > > > > the security scanner in my company raised an issue with > > > commons-collections, > > > which is a transative dependency from Artemis: > > > > > > > > > > > > Part of our „mvn dependeny:tree“ > > > > > > +- org.apache.activemq:artemis-junit-5:jar:2.36.0:test > > > > > > +- org.apache.activemq:artemis-server:jar:2.31.2:test > > > > > > \- commons-collections:commons-collections:jar:3.2.2:compile > > > > > > > > > > > > AFAIK the 3.x of commons-collections is EOL in favor to collections4 – > > > also > > > with new GAV coordinates > > > > > > <groupId>org.apache.commons</groupId> > > > > > > <artifactId>commons-collections4</artifactId> > > > > > > > > > > > > > > > > > > Some details about that security issue: > > > > > > > > > > > > Score > > > > > > vulnerability sonatype-2024-3350 with severity >= 7 (severity = 8.7) > > > > > > > > > > > > Explanation > > > > > > The Apache commons-collections packages are vulnerable to a Denial of > > > Service (DoS) attack. The add() method of the SetUniqueList class > > > mishandles > > > the order of operations when invoking its parent List implementation. > > > Consequently, adding an instance of itself results in infinite recursion > > > and > > > deviates from the behavior defined by the standard JRE List contract. A > > > remote attacker who can cause an application to add SetUniqueList > > > instances > > > to themselves can exploit this vulnerability to crash the affected > > > application with a StackOverflowError exception. > > > > > > > > > > > > Version Affected > > > > > > [3.2,3.2.2] > > > > > > > > > > > > Root Cause > > > > > > > > > > > > > > > > > > commons-collections-3.2.2.redhat-2.jarorg/apache/commons/collections/list/Se > > > tUniqueList.class[3.0, ) > > > > > > > > > > > > Advisories > > > > > > > > > > > > Project > > > > > > https://issues.apache.org/jira/browse/COLLECTIONS-701 > > > > > > > > > > > > CVSS Details > > > > > > > > > > > > Sonatype CVSS 4 > > > > > > 8.7 > > > > > > CVSS Vector > > > > > > CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N > > > > > > > > > > > > > > > > > > That issue is fixed for 4.3. > > > > > > > > > > > > > > > > > > Do you plan to update to collections4? > > > > > > > > > > > > > > > > > > > > > > > > cheers > > > > > > Jan Matèrne > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
