-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote Code Execution vuln in Apache Commons Collections 3.x<3.2.2 & 4.x<4.1 #23637
Comments
😮 I have no idea what jboss is, but I clearly did in 2013... |
A Java Enterprise container :) |
Yes it's a big Java thingy... :) So JBoss won't ever be fixed because we already have the latest in 7.x branch. |
Backported to 17.03: 7e46b92, 16.09: 061bd12 |
Has someone fixed this in the mesos package? If not, I can take care of it. |
I don't think so, @cstrahan |
Issue description
This vulnerability has been around since 2015 and was previously mentioned in security round-up #18856 (as LWN vuln #682387).
Related CVEs are
CVE-2015-4852
for Oracle Weblogic andCVE-2015-7501
for JBoss.Recently Google raised awareness that this was still an issue as
commons-collections
are embedded into a lot of open source products and vulnerable versions were still used. They took on GitHub to propose corrective PRs through an operation they called Operation Rosehub. As explained in this blog post.The San Francisco Municipal Transportation Agency was hacked because of this.
How to fix
commons-collections
v3.x needs to upgrade to v3.2.2commons-collections
v4.0 needs to upgrade to v4.1Packages affected
JBoss 7.1.1
: includes commons-collections 3.2.1Apache Mesos 1.1.0
: depends on 3.x before 3.2.2Chronos
: already marked as broken but would be affectedThe text was updated successfully, but these errors were encountered: