Date: Fri, 13 Nov 2015 23:07:49 +0100 From: Gsunde Orangen <gsunde.orangen@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw On 2015-11-13, 22:07 Mark Felder wrote: > > > On Fri, Nov 13, 2015, at 08:37, Mark Felder wrote: >> >> >> On Fri, Nov 13, 2015, at 01:58, Gsunde Orangen wrote: >>> >>> I share Tim's view  and a dozen of (own) applications we checked >>> won't break. A property that re-enables deserialization of course would >>> help additionally: allow applications that really *need* this to get it >>> working; but that requires an explicit step - so latest by that time: >>> those, whose applications break after including a "fixed" version of >>> Commons-Collections would (hopefully) start to think about their design. >>> >>> Gsunde >>> >>>  http://seclists.org/oss-sec/2015/q4/238 >>>  http://seclists.org/oss-sec/2015/q4/263 >> >> This statement is how we have been operating our mitigation strategy: >> >> "Applications which use Apache Commons Collections and do not use >> deserialization are not vulnerable." >> > > > CERT has released a statement indicating that you are vulnerable > simply by having this in your classpath. It does not matter if you are > doing deserialization or not. The patch to disable serialization > functionality by default seems to me like the only option to mitigate > the CVE now. > > >  https://www.kb.cert.org/vuls/id/576313 >  > https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch > ... and Apache.org's statement  summarizes the issue and the current status quite well  https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ