[ 
https://issues.apache.org/jira/browse/VALIDATOR-383?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sebb resolved VALIDATOR-383.
----------------------------
    Resolution: Not A Problem

1) Validator only uses FastHashMap which AFAICT is unrelated.

2) in any case, Collections is not vulnerable unless the deserialisation code 
is passed unsanitised input; i.e. it is an application issue, not a library 
issue.

> Commons-collections object deserialization remote command execution 
> vulnerability
> ---------------------------------------------------------------------------------
>
>                 Key: VALIDATOR-383
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-383
>             Project: Commons Validator
>          Issue Type: Bug
>    Affects Versions: 1.4.1 Release
>            Reporter: Brandon Kite
>
> I copied this issue from a different project since it also impacts 
> commons-validator.
> Read: 
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and 
> process Java object serialization data, then you probably have an exploitable 
> remote command execution vulnerability.
> The Commons Collection dependency should be upgraded to the latest version 
> (4.1) to remediate this vulnerability.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to