Hi, > > > Is there a security advisory for CXF related to commons-collections security > vulnerability. All the versions of CXF including 2.7.18, 3.0.7 and 3.1.4 are > using commons-collections-3.2.1.jar, will it be fixed in next release or can > we just download the commons-collections-3.2.2.jar and replace > commons-collections-3.2.1.jar? > >
Having that on the classpath alone is not really a vulnerabiltiy. The real vulnerability is using (unsafe) deserialization on untrusted input. You can be pretty much sure that just replacing the commons-collections JAR will still leave you vulnerable in a typical java project (if you or any of your libraries perform such deserialization). Having said that, collections 3.2.2 should be a drop-in replacement (as opposed to 4.0->4.1). Quickly grepping through the CXF code, there actually seems to be a vulnerability when using Aegis with serialization enabled. Don't know how common that is. Moritz -- AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731 Persönlich haftend: Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820, Vertreten durch Joachim Keltsch
