Thanks for the very fast reply. I will close our security issue if the dependency is transitive over artemis. For direct depencencies our projects have to investigate.
Jan -----Ursprüngliche Nachricht----- Von: Robbie Gemmell <robbie.gemm...@gmail.com> Gesendet: Mittwoch, 21. August 2024 18:09 An: dev@activemq.apache.org Betreff: Re: Issue with transitive dependency on commons-collections Oops, I got distracted while typing originally, and didnt spot Justin already said the same thing by the time I actually hit send. Oh well :) On Wed, 21 Aug 2024 at 17:07, Robbie Gemmell <robbie.gemm...@gmail.com> wrote: > > Most of the uses in the codebase are transitive, from others commons > dependencies, so you would need to check that we don't use the bits of > those dependencies that require it and then specifically exclude it, > otherwise you won't actually be able to get rid of it. > > On Wed, 21 Aug 2024 at 16:18, Justin Bertram <jbert...@apache.org> wrote: > > > > The ActiveMQ Artemis code-base doesn't use > > org.apache.commons.collections.list.SetUniqueList so this problem > > doesn't apply. > > > > That said, moving to commons-collections4 is a good idea. I've > > opened > > ARTEMIS-5006 [1] for this. > > > > > > Justin > > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-5006 > > > > On Wed, Aug 21, 2024 at 9:17 AM <apa...@materne.de> wrote: > > > > > Hello, > > > > > > > > > > > > the security scanner in my company raised an issue with > > > commons-collections, which is a transative dependency from > > > Artemis: > > > > > > > > > > > > Part of our „mvn dependeny:tree“ > > > > > > +- org.apache.activemq:artemis-junit-5:jar:2.36.0:test > > > > > > +- org.apache.activemq:artemis-server:jar:2.31.2:test > > > > > > \- > > > commons-collections:commons-collections:jar:3.2.2:compile > > > > > > > > > > > > AFAIK the 3.x of commons-collections is EOL in favor to > > > collections4 – also with new GAV coordinates > > > > > > <groupId>org.apache.commons</groupId> > > > > > > <artifactId>commons-collections4</artifactId> > > > > > > > > > > > > > > > > > > Some details about that security issue: > > > > > > > > > > > > Score > > > > > > vulnerability sonatype-2024-3350 with severity >= 7 (severity = > > > 8.7) > > > > > > > > > > > > Explanation > > > > > > The Apache commons-collections packages are vulnerable to a Denial > > > of Service (DoS) attack. The add() method of the SetUniqueList > > > class mishandles the order of operations when invoking its parent > > > List implementation. > > > Consequently, adding an instance of itself results in infinite > > > recursion and deviates from the behavior defined by the standard > > > JRE List contract. A remote attacker who can cause an application > > > to add SetUniqueList instances to themselves can exploit this > > > vulnerability to crash the affected application with a > > > StackOverflowError exception. > > > > > > > > > > > > Version Affected > > > > > > [3.2,3.2.2] > > > > > > > > > > > > Root Cause > > > > > > > > > > > > > > > > > > commons-collections-3.2.2.redhat-2.jarorg/apache/commons/collectio > > > ns/list/Se > > > tUniqueList.class[3.0, ) > > > > > > > > > > > > Advisories > > > > > > > > > > > > Project > > > > > > https://issues.apache.org/jira/browse/COLLECTIONS-701 > > > > > > > > > > > > CVSS Details > > > > > > > > > > > > Sonatype CVSS 4 > > > > > > 8.7 > > > > > > CVSS Vector > > > > > > > > > CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N > > > > > > > > > > > > > > > > > > That issue is fixed for 4.3. > > > > > > > > > > > > > > > > > > Do you plan to update to collections4? > > > > > > > > > > > > > > > > > > > > > > > > cheers > > > > > > Jan Matèrne > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
