Ticket #36141

commons-collections脆弱性

Open Date: 2016-03-13 21:52 Last Update: 2016-03-13 21:52

Reporter:
(Anonymous)
Owner:
(None)
Type:
Status:
Open
Component:
(None)
MileStone:
(None)
Priority:
5 - Medium
Severity:
5 - Medium
Resolution:
None
File:
None

Details

EB4J で使っているcommons-collectionsに脆弱性が有るという情報が有りました。 以下のパッチを当ててもらえればと思います。

https://github.com/miurahr/eb4j/pull/1

gmlewis commented 4 days ago Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Ticket History (1/1 Histories)

2016-03-13 21:52 Updated by: None
  • New Ticket "commons-collections脆弱性" created

Attachment File List

No attachments

Edit

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » Login