loftux
commented
8 years ago Thanks for putting our attention to this. We will start reviewing right away.
Closed gmlewis closed 8 years ago
loftux
commented
8 years ago Thanks for putting our attention to this. We will start reviewing right away.
loftux
commented
8 years ago Hi again,
It seems like you have used an automated script to create a pull request. Did you only look for version string 3.2.1 or is this dependency you have in the pull request also vulnerable?
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-artifact</artifactId>
- <version>3.2.1</version>
+ <version>3.2.2</version>
</dependency>
gmlewis
commented
8 years ago Hi @loftux - it looks like my script made an error here, and I'm very sorry about that. Would you like me to fix this or would you like to revert my change yourself?
loftux
commented
8 years ago Thats ok, I'll fix it. Alfresco has patched this in its latest release. We still maintain older builds for clients what we need to patch so this alerted us for that.
Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/