After looking into this more it's clear we can't simply exclude commons-collections:commons-collections. At the very least, the functionality we use from commons-beanutils:commons-beanutils uses a collection from it.
Justin On Thu, Aug 22, 2024 at 11:00 AM Justin Bertram <jbert...@apache.org> wrote: > To clarify... > > ActiveMQ Artemis _does_ have a direct dependency on > commons-collections:commons-collections. Note that in Robbie's previous > email he said, "Most of the uses in the codebase are transitive..." (i.e. > _most_, not all). > > We can eliminate this direct dependency fairly easily, but we may not be > able to eliminate the transitive dependency. I'm continuing to look into > this. > > > Justin > > On Thu, Aug 22, 2024 at 12:53 AM <apa...@materne.de> wrote: > >> Thanks for the very fast reply. >> I will close our security issue if the dependency is transitive over >> artemis. >> For direct depencencies our projects have to investigate. >> >> Jan >> >> -----Ursprüngliche Nachricht----- >> Von: Robbie Gemmell <robbie.gemm...@gmail.com> >> Gesendet: Mittwoch, 21. August 2024 18:09 >> An: dev@activemq.apache.org >> Betreff: Re: Issue with transitive dependency on commons-collections >> >> Oops, I got distracted while typing originally, and didnt spot Justin >> already said the same thing by the time I actually hit send. Oh well >> :) >> >> On Wed, 21 Aug 2024 at 17:07, Robbie Gemmell <robbie.gemm...@gmail.com> >> wrote: >> > >> > Most of the uses in the codebase are transitive, from others commons >> > dependencies, so you would need to check that we don't use the bits of >> > those dependencies that require it and then specifically exclude it, >> > otherwise you won't actually be able to get rid of it. >> > >> > On Wed, 21 Aug 2024 at 16:18, Justin Bertram <jbert...@apache.org> >> wrote: >> > > >> > > The ActiveMQ Artemis code-base doesn't use >> > > org.apache.commons.collections.list.SetUniqueList so this problem >> > > doesn't apply. >> > > >> > > That said, moving to commons-collections4 is a good idea. I've >> > > opened >> > > ARTEMIS-5006 [1] for this. >> > > >> > > >> > > Justin >> > > >> > > [1] https://issues.apache.org/jira/browse/ARTEMIS-5006 >> > > >> > > On Wed, Aug 21, 2024 at 9:17 AM <apa...@materne.de> wrote: >> > > >> > > > Hello, >> > > > >> > > > >> > > > >> > > > the security scanner in my company raised an issue with >> > > > commons-collections, which is a transative dependency from >> > > > Artemis: >> > > > >> > > > >> > > > >> > > > Part of our „mvn dependeny:tree“ >> > > > >> > > > +- org.apache.activemq:artemis-junit-5:jar:2.36.0:test >> > > > >> > > > +- org.apache.activemq:artemis-server:jar:2.31.2:test >> > > > >> > > > \- >> > > > commons-collections:commons-collections:jar:3.2.2:compile >> > > > >> > > > >> > > > >> > > > AFAIK the 3.x of commons-collections is EOL in favor to >> > > > collections4 – also with new GAV coordinates >> > > > >> > > > <groupId>org.apache.commons</groupId> >> > > > >> > > > <artifactId>commons-collections4</artifactId> >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > Some details about that security issue: >> > > > >> > > > >> > > > >> > > > Score >> > > > >> > > > vulnerability sonatype-2024-3350 with severity >= 7 (severity = >> > > > 8.7) >> > > > >> > > > >> > > > >> > > > Explanation >> > > > >> > > > The Apache commons-collections packages are vulnerable to a Denial >> > > > of Service (DoS) attack. The add() method of the SetUniqueList >> > > > class mishandles the order of operations when invoking its parent >> > > > List implementation. >> > > > Consequently, adding an instance of itself results in infinite >> > > > recursion and deviates from the behavior defined by the standard >> > > > JRE List contract. A remote attacker who can cause an application >> > > > to add SetUniqueList instances to themselves can exploit this >> > > > vulnerability to crash the affected application with a >> > > > StackOverflowError exception. >> > > > >> > > > >> > > > >> > > > Version Affected >> > > > >> > > > [3.2,3.2.2] >> > > > >> > > > >> > > > >> > > > Root Cause >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > commons-collections-3.2.2.redhat-2.jarorg/apache/commons/collectio >> > > > ns/list/Se >> > > > tUniqueList.class[3.0, ) >> > > > >> > > > >> > > > >> > > > Advisories >> > > > >> > > > >> > > > >> > > > Project >> > > > >> > > > https://issues.apache.org/jira/browse/COLLECTIONS-701 >> > > > >> > > > >> > > > >> > > > CVSS Details >> > > > >> > > > >> > > > >> > > > Sonatype CVSS 4 >> > > > >> > > > 8.7 >> > > > >> > > > CVSS Vector >> > > > >> > > > >> > > > CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > That issue is fixed for 4.3. >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > Do you plan to update to collections4? >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > cheers >> > > > >> > > > Jan Matèrne >> > > > >> > > > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org >> For additional commands, e-mail: dev-h...@activemq.apache.org For >> further information, visit: https://activemq.apache.org/contact >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org >> For additional commands, e-mail: dev-h...@activemq.apache.org >> For further information, visit: https://activemq.apache.org/contact >> >> >>
