[CONTROLLER-1454] [SECURITY] Upgrade commons-collections as a hardening measure - OpenDaylight JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Resolution: Done
Affects Version/s: Beryllium
Fix Version/s: None
Component/s: karaf
Labels:
None
Environment:

Operating System: All
Platform: All

External issue ID:
4668

Description

A vulnerability in commons-collections was recently discovered:

https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#commons

OpenDaylight does not appear to expose any vector for deserializing arbitrary user-supplied content, therefore this vulnerability is not exploitable on OpenDaylight. As a hardening measure, we should consume a patched version of the library.

Randy Randhawa noted:

Looking into Beryllium sources, the only reference to commons-collections I can find is Karaf’s org.apache.karaf.demos.my-kar. Karaf still pulls in commons-collections 3.2.1 in the 3.x release train, though 4.x already upgraded: https://issues.apache.org/jira/browse/KARAF-4135. I pinged them about backporting the change.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Unassigned

Reporter:: David Jorm

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Nov/15 3:29 PM

Updated:: 19/Oct/17 9:27 PM

Resolved:: 01/Aug/16 1:54 PM