Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does Spring Framework use InvokerTransformer from Apache Collections? [SPR-13675] #18250

Closed
spring-projects-issues opened this issue Nov 12, 2015 · 3 comments
Assignees
Labels
status: invalid An issue that we don't feel is valid

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Nov 12, 2015

Kamill Sokol opened SPR-13675 and commented

Yesterday announced about de-serialisation vulnerability (CVE-2015-4852):

https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

If Spring Framework use InvokerTransformer it can be vulnerable for the de-serialisation vulnerability (CVE-2015-4852).

Does Spring Framework use InvokerTransformer from Apache Commons Collection?


Reference URL: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html

Issue Links:

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 12, 2015

Brian Martin commented

This appears to be covered in #18232.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 12, 2015

Juergen Hoeller commented

Spring Framework does not use Commons Collections in any way. If you have it on your classpath, it might just be behind another dependency that you chose, such as OpenJPA.

That said, we do have a related issue in #18232 where we've been fixing a class of ours in order to prevent misuse in such scenarios. Note that this only matters if you are exposing serialization-based endpoints to untrusted clients. Spring does not do any such exposure by default; it's rather something that your application is explicitly opting into through the use of HTTP Invoker or RMI Invoker.

Juergen

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 13, 2015

Kamill Sokol commented

Thank you very much for the clarification. I quoted your comment in a related Stackoverflow question.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Development

No branches or pull requests

2 participants