[jbosstools-issues] [JBoss JIRA] (JBDS-3560) Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)
Mickael Istria (JIRA)
issues at jboss.org
Thu Nov 19 09:29:00 EST 2015
[ https://issues.jboss.org/browse/JBDS-3560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13130831#comment-13130831 ]
Mickael Istria edited comment on JBDS-3560 at 11/19/15 9:28 AM:
----------------------------------------------------------------
The only feature in our TP that requires and provide org.apache.commons.collections is org.eclipse.jpt.jpa.feature. It is strictly tied to version 3.2.0.
JBDS includes this feature, so it transitively requires the 3.2.0 version of org.apache.commons.collections. I guess there is not much we can do before Mars.2.
Anyway, the features and plugins we provide can still decide to enforce dependency on 3.2.2, and we keep both 3.2.0 and 3.2.2. So at least we know that "our" execution threads wouldn't be hurt by the issue.
And also, despite it seems like we're currently forced to ship commons.collections 3.2.0, it doesn't mean that it has to be loaded at runtime. So shippng also a 3.2.2 (by making the hibernate.runtime plugin depend on this specific version for example) would enforce loading of 3.2.2 and should avoid loading of 3.2.0.
So +1 for the change proposed by [~nickboldt], but it requires an additional step to make sure we "enable" the better version.
was (Author: mickael_istria):
The only feature in our TP that requires and provide org.apache.commons.collections is org.eclipse.jpt.jpa.feature. It is strictly tied to version 3.2.0.
JBDS includes this feature, so it transitively requires the 3.2.0 version of org.apache.commons.collections. I guess there is not much we can do before Mars.2.
Anyway, the features and plugins we provide can still decide to enforce dependency on 3.2.2, and we keep both 3.2.0 and 3.2.2. So at least we know that "our" execution threads wouldn't be hurt by the issue.
> Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)
> -------------------------------------------------------------------------
>
> Key: JBDS-3560
> URL: https://issues.jboss.org/browse/JBDS-3560
> Project: Developer Studio (JBoss Developer Studio)
> Issue Type: Bug
> Components: upstream
> Affects Versions: 8.1.0.GA, 9.0.0.GA, 10.0.0.Alpha1
> Reporter: Nick Boldt
> Assignee: Max Rydahl Andersen
> Fix For: 9.1.0.Beta1, 10.0.0.Alpha1
>
> Attachments: apache-commons-collections-in-JBDS7,8,9,10.png, apache-commons-collections-in-JBDS7,8,9,10_refs1.png, apache-commons-collections-in-JBDS7,8,9,10_refs10.png, apache-commons-collections-in-JBDS7,8,9,10_refs7.png, apache-commons-collections-in-JBDS7,8,9,10_refs8-IS-fuse.png, apache-commons-collections-in-JBDS7,8,9,10_refs8.png, apache-commons-collections-in-JBDS7,8,9,10_refs9.png, orbit.R20150519210750_vs_I20151117200049.log.txt, orbit.R20150519210750_vs_I20151117200049.log_onlyLatest.txt
>
>
> This is a container issue to wrap & track https://issues.apache.org/jira/browse/COLLECTIONS-580
> Problem is that JBDS 9 (and probably 8 and 10 too) include org.apache.commons.collections 3.2.0.v2013030210310, which is affected by COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jbosstools-issues
mailing list