Date: Sun, 15 Nov 2015 23:48:35 +0100 From: Gsunde Orangen <gsunde.orangen@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-Request: Assign CVE for common-collections remote code execution on deserialisation flaw It seems that IBM Websphere  is now using the same CVE ID as Oracle WebLogic : CVE-2015-4852 So I would go with that ID with any application around the Commons-Collections issues. Gsunde  http://www.ibm.com/support/docview.wss?uid=swg21970575  https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852 On 2015-11-13, 23:07 Gsunde Orangen wrote: > On 2015-11-13, 22:07 Mark Felder wrote: >> >> On Fri, Nov 13, 2015, at 08:37, Mark Felder wrote: >>> >>> On Fri, Nov 13, 2015, at 01:58, Gsunde Orangen wrote: >>>> >>>> I share Tim's view  and a dozen of (own) applications we checked >>>> won't break. A property that re-enables deserialization of course would >>>> help additionally: allow applications that really *need* this to get it >>>> working; but that requires an explicit step - so latest by that time: >>>> those, whose applications break after including a "fixed" version of >>>> Commons-Collections would (hopefully) start to think about their design. >>>> >>>> Gsunde >>>> >>>>  http://seclists.org/oss-sec/2015/q4/238 >>>>  http://seclists.org/oss-sec/2015/q4/263 >>> >>> This statement is how we have been operating our mitigation strategy: >>> >>> "Applications which use Apache Commons Collections and do not use >>> deserialization are not vulnerable." >>> >> >> >> CERT has released a statement indicating that you are vulnerable >> simply by having this in your classpath. It does not matter if you are >> doing deserialization or not. The patch to disable serialization >> functionality by default seems to me like the only option to mitigate >> the CVE now. >> >> >>  https://www.kb.cert.org/vuls/id/576313 >>  >> https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch >> > ... and Apache.org's statement  summarizes the issue and the current > status quite well > >  > https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ