Hello All,
As an Entp. customer we were informed about the "Apache Commons Deserialize Vulnerability" by Alfresco support and were asked to apply the hotfix [Alfresco One v4.2.2.27] for this. So applying the hotfix mean doing an upgrade which we are not planning to do as we upgraded our system 4 months back.
Does any one in the community have an alternate plans for this?
I just did a search for the term "org.apache.commons.collections" on the Entp. source code and could only find below files -
which means the culprit class
InvokerTransformer.java has no reference anywhere in Alfresco source code. So deleting the class file from commons-collections-3.2.1.jar would solve the vulnerability issue according to this blog post from
Apache.
Can someone please comment on any alternative ways to approach it?
Thanks,
Sujay