[ https://issues.apache.org/jira/browse/WHISKER-15?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Philipp Ottlinger resolved WHISKER-15. -------------------------------------- Resolution: Fixed URL: http://svn.apache.org/viewvc?rev=1734853&view=rev DONE > Upgrade Apache Commons Collections to v3.2.2 > -------------------------------------------- > > Key: WHISKER-15 > URL: https://issues.apache.org/jira/browse/WHISKER-15 > Project: Apache Whisker > Issue Type: Improvement > Affects Versions: 0.2 > Reporter: Philipp Ottlinger > Assignee: Philipp Ottlinger > Fix For: 0.2 > > > Motivated by RAT-213 we should upgrade Whisker as well. > Tentacles does not seem to use commons-collections as of now. > h3. Context > Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of > vulnerability that exists. By merely existing on the classpath, this > library causes the Java serialization parser for the entire JVM process > to go from being a state machine to a turing machine. A turing machine > with an exec() function! > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 > https://commons.apache.org/proper/commons-collections/security-reports.html > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)