Hi Joël, Joël Traber wrote:
> Hi guys, > > I am running an application working with commons-configuration version 1.6 > I just noticed a bug in > commons-collection. (http://markmail.org/search/?q=COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F#query:COLLECTIONS-580%20list%3Aorg.apache.commons.users%2F+page:1+mid:fzhzqaroxf46apyb+state:results) > > As the older versions (will be changed in 2.0) of commons-configuration > are having a runtime dependency to commons-collections I am wondering if > they are potentially affected by this bug as well? Commons-configuration > version 1.6 uses commons-collections 3.2.1. which still contains the bug. > (From 3.2.2. they disabled the classes by default The documentation says > only ConfigurationConverter has a dependency to commons-collections > (org.apache.commons.collections.ExtendedProperties;). I bet that affected > classes by the bug are never referenced and do not run. That looks to me > pretty much that using commons-configuration 1.6 is safe, not recommended > but safe. Even more because it is not using any Serialization support from > commons-collections. > > Can somebody confirm this? It is completely pointless if commons-collections is actually using some of those classes or not. The vulnerability applies if your application (or your application server, Spring or OSGi container) uses somewhere serialization and a vulnerable version of commons-collections is in the classpath. If an attacker can manipulate the serialized stream, you're affected. Therefore you should simply look if your final application, war, etc contains an old copy of commons-collections and adjust your build if it is the case. Cheers, Jörg --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
