apache commons collections vulnerability fix

[Sammy Lee]

Hi all,

 

Apache team has announced a new commons collections release:

http://archive.apache.org/dist/commons/collections/binaries/ to fix this

vulnerability:

http://www.infoworld.com/article/3003197/security/library-misuse-exposes-lea

ding-java-platforms-to-attack.html

Would this be the way to apply this fix?  We are currently running Sakai

2.9.3

I found commons-collections-3.2.jar under the gradebook tool.  So I plan to change the version in the gradebook tool pom.xml 

I also searched all pom.xml in our build for 'commons-collection' and came

up with 56 of them.  

Would I change all the version number in all of these pom.xml files?I also found commons-collections-3.2.1.jar under <tomcat_home>/shared/lib; would someone know what I need to change so that the build script will pick up the 3.2.2 version?

Thanks in advance.
  -Sammy

[Steve Swinsburg]

This should just be in shared and upgraded if it is backwards compatible, and removed from all tools unless there is a specific reason for it being bundled in the webapp?

--
You received this message because you are subscribed to the Google Groups "Sakai Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-dev+...@apereo.org.
To post to this group, send email to saka...@apereo.org.
Visit this group at http://groups.google.com/a/apereo.org/group/sakai-dev/.

[Sammy Lee]

We re-build/deploy our code that's based in a svn repository, so when we re-build, it picks up the older 3.2.1 version of commons-collections.  I believe there's a parent pom.xml that's specifying this dependency; can this be changed to use 3.2.2;

thanks.

[Matthew Jones]

In 2.9 this is in the pom for kernel.

Once the change is made in trunk in master, it will be merged back to the 10.x and possibly the 2.9.x branch.

[Sammy Lee]

sakai is very new to me.  Would you mind pointing me to where this pom is?  thanks!

[Leonardo Canessa]

<sakai root>/kernel/pom.xml

Leonardo Canessa

Web Developer - E-Learning

937-229-2085

[Leonardo Canessa]

From the Apache Commons-Collections v3.2.2 release notes:

Serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.

None of the classes listed are explicitly used in Sakai 2.9.3, as far as I can tell. I came to this conclusion by doing a case insensitive search for each of the class names.

As such I suspect that upgrading this library it is not critical. Anyone using these specific classes should probably upgrade the library.

Leonardo Canessa

Web Developer - E-Learning

937-229-2085

[Sammy Lee]

thanks so much Leonardo & Matthew!