To clarify... ActiveMQ Artemis _does_ have a direct dependency on commons-collections:commons-collections. Note that in Robbie's previous email he said, "Most of the uses in the codebase are transitive..." (i.e. _most_, not all).
We can eliminate this direct dependency fairly easily, but we may not be able to eliminate the transitive dependency. I'm continuing to look into this. Justin On Thu, Aug 22, 2024 at 12:53 AM <apa...@materne.de> wrote: > Thanks for the very fast reply. > I will close our security issue if the dependency is transitive over > artemis. > For direct depencencies our projects have to investigate. > > Jan > > -----Ursprüngliche Nachricht----- > Von: Robbie Gemmell <robbie.gemm...@gmail.com> > Gesendet: Mittwoch, 21. August 2024 18:09 > An: dev@activemq.apache.org > Betreff: Re: Issue with transitive dependency on commons-collections > > Oops, I got distracted while typing originally, and didnt spot Justin > already said the same thing by the time I actually hit send. Oh well > :) > > On Wed, 21 Aug 2024 at 17:07, Robbie Gemmell <robbie.gemm...@gmail.com> > wrote: > > > > Most of the uses in the codebase are transitive, from others commons > > dependencies, so you would need to check that we don't use the bits of > > those dependencies that require it and then specifically exclude it, > > otherwise you won't actually be able to get rid of it. > > > > On Wed, 21 Aug 2024 at 16:18, Justin Bertram <jbert...@apache.org> > wrote: > > > > > > The ActiveMQ Artemis code-base doesn't use > > > org.apache.commons.collections.list.SetUniqueList so this problem > > > doesn't apply. > > > > > > That said, moving to commons-collections4 is a good idea. I've > > > opened > > > ARTEMIS-5006 [1] for this. > > > > > > > > > Justin > > > > > > [1] https://issues.apache.org/jira/browse/ARTEMIS-5006 > > > > > > On Wed, Aug 21, 2024 at 9:17 AM <apa...@materne.de> wrote: > > > > > > > Hello, > > > > > > > > > > > > > > > > the security scanner in my company raised an issue with > > > > commons-collections, which is a transative dependency from > > > > Artemis: > > > > > > > > > > > > > > > > Part of our „mvn dependeny:tree“ > > > > > > > > +- org.apache.activemq:artemis-junit-5:jar:2.36.0:test > > > > > > > > +- org.apache.activemq:artemis-server:jar:2.31.2:test > > > > > > > > \- > > > > commons-collections:commons-collections:jar:3.2.2:compile > > > > > > > > > > > > > > > > AFAIK the 3.x of commons-collections is EOL in favor to > > > > collections4 – also with new GAV coordinates > > > > > > > > <groupId>org.apache.commons</groupId> > > > > > > > > <artifactId>commons-collections4</artifactId> > > > > > > > > > > > > > > > > > > > > > > > > Some details about that security issue: > > > > > > > > > > > > > > > > Score > > > > > > > > vulnerability sonatype-2024-3350 with severity >= 7 (severity = > > > > 8.7) > > > > > > > > > > > > > > > > Explanation > > > > > > > > The Apache commons-collections packages are vulnerable to a Denial > > > > of Service (DoS) attack. The add() method of the SetUniqueList > > > > class mishandles the order of operations when invoking its parent > > > > List implementation. > > > > Consequently, adding an instance of itself results in infinite > > > > recursion and deviates from the behavior defined by the standard > > > > JRE List contract. A remote attacker who can cause an application > > > > to add SetUniqueList instances to themselves can exploit this > > > > vulnerability to crash the affected application with a > > > > StackOverflowError exception. > > > > > > > > > > > > > > > > Version Affected > > > > > > > > [3.2,3.2.2] > > > > > > > > > > > > > > > > Root Cause > > > > > > > > > > > > > > > > > > > > > > > > commons-collections-3.2.2.redhat-2.jarorg/apache/commons/collectio > > > > ns/list/Se > > > > tUniqueList.class[3.0, ) > > > > > > > > > > > > > > > > Advisories > > > > > > > > > > > > > > > > Project > > > > > > > > https://issues.apache.org/jira/browse/COLLECTIONS-701 > > > > > > > > > > > > > > > > CVSS Details > > > > > > > > > > > > > > > > Sonatype CVSS 4 > > > > > > > > 8.7 > > > > > > > > CVSS Vector > > > > > > > > > > > > CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N > > > > > > > > > > > > > > > > > > > > > > > > That issue is fixed for 4.3. > > > > > > > > > > > > > > > > > > > > > > > > Do you plan to update to collections4? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > cheers > > > > > > > > Jan Matèrne > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org > For additional commands, e-mail: dev-h...@activemq.apache.org For further > information, visit: https://activemq.apache.org/contact > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org > For additional commands, e-mail: dev-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > > >
