[ https://issues.apache.org/jira/browse/FLINK-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011251#comment-15011251 ]
Ted Yu commented on FLINK-3005: ------------------------------- Would update to Commons Collections 3.2.2 alleviate the remote code execution vulnerability ? See https://issues.apache.org/jira/browse/COLLECTIONS-580 > Commons-collections object deserialization remote command execution > vulnerability > --------------------------------------------------------------------------------- > > Key: FLINK-3005 > URL: https://issues.apache.org/jira/browse/FLINK-3005 > Project: Flink > Issue Type: Bug > Reporter: Ted Yu > > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > TL;DR: If you have commons-collections on your classpath and accept and > process Java object serialization data, then you may have an exploitable > remote command execution vulnerability. > Brief search in code base for ObjectInputStream reveals several places where > the vulnerability exists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)