[
https://issues.apache.org/jira/browse/FLINK-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011226#comment-15011226
]
Stephan Ewen commented on FLINK-3005:
-------------------------------------
Important issue - we need to banish that from our classpath in any way.
Right now, I think only one class makes use of that: {{JoinHashMap}}
(https://github.com/apache/flink/blob/6e0e67d2e0d5180d6fba492e8ab9cc8fb18fdf68/flink-core/src/main/java/org/apache/flink/api/common/operators/util/JoinHashMap.java)
We need to migrate that (to a custom implementation) and then add a maven
plugin to enforce that this is not packaged into the distribution.
[~tedyu] Would you be interested in this?
> Commons-collections object deserialization remote command execution
> vulnerability
> ---------------------------------------------------------------------------------
>
> Key: FLINK-3005
> URL: https://issues.apache.org/jira/browse/FLINK-3005
> Project: Flink
> Issue Type: Bug
> Reporter: Ted Yu
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and
> process Java object serialization data, then you may have an exploitable
> remote command execution vulnerability.
> Brief search in code base for ObjectInputStream reveals several places where
> the vulnerability exists.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
