[
https://issues.apache.org/jira/browse/VALIDATOR-383?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sebb resolved VALIDATOR-383.
----------------------------
Resolution: Not A Problem
1) Validator only uses FastHashMap which AFAICT is unrelated.
2) in any case, Collections is not vulnerable unless the deserialisation code
is passed unsanitised input; i.e. it is an application issue, not a library
issue.
> Commons-collections object deserialization remote command execution
> vulnerability
> ---------------------------------------------------------------------------------
>
> Key: VALIDATOR-383
> URL: https://issues.apache.org/jira/browse/VALIDATOR-383
> Project: Commons Validator
> Issue Type: Bug
> Affects Versions: 1.4.1 Release
> Reporter: Brandon Kite
>
> I copied this issue from a different project since it also impacts
> commons-validator.
> Read:
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and
> process Java object serialization data, then you probably have an exploitable
> remote command execution vulnerability.
> The Commons Collection dependency should be upgraded to the latest version
> (4.1) to remediate this vulnerability.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)