[jira] [Commented] (CLOUDSTACK-9053) CloudStack is dependent upon a vulnerable version of Commons Collections

Wed, 18 Nov 2015 14:38:19 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15012220#comment-15012220
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9053:
--------------------------------------------

GitHub user DaanHoogland opened a pull request:

    https://github.com/apache/cloudstack/pull/1089

    CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580

      cloustack is not vulnerable but as the classes are in they might
      be used in the future so we upgrade to prevent accidental
      vulnerabilities.
    
    integration test against master going on.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/DaanHoogland/cloudstack CLOUDSTACK-9053

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1089.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1089
    
----
commit d40d3498a6faa62fb8dc0df4d4e14b07a8363cb3
Author: Daan Hoogland <d...@onecht.net>
Date:   2015-11-18T21:54:25Z

    CLOUDSTACK-9053 security upgrade as per COLLECTIONS-580
    
      cloustack is not vulnerable but as the classes are in they might
      be used in the future so we upgrade to prevent accidental
      vulnerabilities.

----


> CloudStack is dependent upon a vulnerable version of Commons Collections
> ------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9053
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9053
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: John Kinsella
>
> COLLECTIONS-580 was brought to our attention today. Current versions of 
> Apache Commons Collections contain a serialization/unserialization 
> vulnerability which may result in remote code execution.
> CloudStack does not seem to use the specific vulnerable class 
> InvokerTransformer, so in theory we could recommend pulling that class from 
> the jars/wars, but still looking to see what else we can do...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to