Apache Commons Deserialize Vulnerability

[Sujay Pillai]

Hello All,

As an Entp. customer we were informed about the "Apache Commons Deserialize Vulnerability" by Alfresco support and were asked to apply the hotfix [Alfresco One v4.2.2.27] for this. So applying the hotfix mean doing an upgrade which we are not planning to do as we upgraded our system 4 months back.

Does any one in the community have an alternate plans for this?

I just did a search for the term "org.apache.commons.collections" on the Entp. source code and could only find below files -

which means the culprit class InvokerTransformer.java has no reference anywhere in Alfresco source code. So deleting the class file from commons-collections-3.2.1.jar would solve the vulnerability issue according to this blog post from Apache.

Can someone please comment on any alternative ways to approach it?

Thanks,

Sujay