Hello Joel, 2015-11-17 18:01 GMT+01:00 Joël Traber <[email protected]>:
> Hi guys, > > I am running an application working with commons-configuration version 1.6 > I just noticed a bug in commons-collection.( > http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results > ) > > As the older versions (will be changed in 2.0) of commons-configuration > are having a runtime dependency to commons-collections I am wondering if > they are potentially affected by this bug as well? > Commons-configuration version 1.6 uses commons-collections 3.2.1. which > still contains the bug. (From 3.2.2. they disabled the classes by default > The documentation says only ConfigurationConverter has a dependency to > commons-collections (org.apache.commons.collections.ExtendedProperties;). I > bet that affected classes by the bug are never referenced and do not run. > That looks to me pretty much that using commons-configuration 1.6 is safe, > not recommended but safe. Even more because it is not using any > Serialization support from commons-collections. > > Can somebody confirm this? > commons-collections 3.2.2 is a drop in replacement for 3.2.1. You can just upgrade an everything will be fine. However I recommend reading [1]. It's a blogpost I've written to show, that most applications are probably not affected by said vulnerability (which by the way is no problem in commons collections but in the application using deserialization in an unsafe way). HTH, Benedikt [1] https://blog.codecentric.de/en/2015/11/comment-on-the-so-called-security-vulnerability-in-apache-commons-collections/ > Many thanks > joël > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- http://people.apache.org/~britter/ http://www.systemoutprintln.de/ http://twitter.com/BenediktRitter http://github.com/britter
