Upgrade Apache Commons Collections to v3.2.2 #135

Merged
merged 1 commit into from Mar 9, 2016

Projects

None yet

3 participants

@bogosj
Contributor
bogosj commented Mar 8, 2016

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

@bogosj bogosj Upgrade Apache Commons Collections to v3.2.2
Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
dabd1e4
@Nadahar
Nadahar commented Mar 9, 2016

@bogosj I think this is a dead project so I doubt it will be fixed.

I don't think the bug affects PMS at all, as there are no external serialized objects being consumed anywhere in the code that I'm aware of. PMS also typically resides behind NAT with ports exposed to the outside, which means that the attacker would have to be on the local LAN - which isn't very likely at all. All network communication consists of text based protocols like html, xml, soap - there's no binary objects being received at all. Even though media files or streams could be considered a binary object if you want to stretch it, PMS won't try to unserialize those expecting them to be packed Java objects.

@gzsombor gzsombor merged commit 7a8958a into ps3mediaserver:master Mar 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment