[
https://issues.apache.org/jira/browse/FLINK-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15012108#comment-15012108
]
ASF GitHub Bot commented on FLINK-3005:
---------------------------------------
GitHub user tedyu opened a pull request:
https://github.com/apache/flink/pull/1381
FLINK-3005 Commons-collections object deserialization remote command …
…execution vulnerability
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/tedyu/flink master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/1381.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1381
----
commit 216c41f20aef19b515d94f276ceda39a232ab689
Author: tedyu <[email protected]>
Date: 2015-11-18T21:56:31Z
FLINK-3005 Commons-collections object deserialization remote command
execution vulnerability
----
> Commons-collections object deserialization remote command execution
> vulnerability
> ---------------------------------------------------------------------------------
>
> Key: FLINK-3005
> URL: https://issues.apache.org/jira/browse/FLINK-3005
> Project: Flink
> Issue Type: Bug
> Reporter: Ted Yu
>
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
> TL;DR: If you have commons-collections on your classpath and accept and
> process Java object serialization data, then you may have an exploitable
> remote command execution vulnerability.
> Brief search in code base for ObjectInputStream reveals several places where
> the vulnerability exists.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
