[jira] [Commented] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability

Ted Yu (JIRA) Wed, 18 Nov 2015 07:57:23 -0800

    [ 
https://issues.apache.org/jira/browse/FLINK-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011251#comment-15011251
 ]


Ted Yu commented on FLINK-3005:
-------------------------------

Would update to Commons Collections 3.2.2 alleviate the remote code execution 
vulnerability ?

See https://issues.apache.org/jira/browse/COLLECTIONS-580

> Commons-collections object deserialization remote command execution 
> vulnerability
> ---------------------------------------------------------------------------------
>
>                 Key: FLINK-3005
>                 URL: https://issues.apache.org/jira/browse/FLINK-3005
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Ted Yu
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and 
> process Java object serialization data, then you may have an exploitable 
> remote command execution vulnerability.
> Brief search in code base for ObjectInputStream reveals several places where 
> the vulnerability exists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3005) Commons-collections object deserialization remote command execution vulnerability

Reply via email to