[CONTROLLER-1454] [SECURITY] Upgrade commons-collections as a hardening measure Created: 24/Nov/15 Updated: 19/Oct/17 Resolved: 01/Aug/16 |
|
| Status: | Resolved |
| Project: | controller |
| Component/s: | karaf |
| Affects Version/s: | Beryllium |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | David Jorm | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 4668 |
| Description |
|
A vulnerability in commons-collections was recently discovered: https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852 OpenDaylight does not appear to expose any vector for deserializing arbitrary user-supplied content, therefore this vulnerability is not exploitable on OpenDaylight. As a hardening measure, we should consume a patched version of the library. Randy Randhawa noted: Looking into Beryllium sources, the only reference to commons-collections I can find is Karaf’s org.apache.karaf.demos.my-kar. Karaf still pulls in commons-collections 3.2.1 in the 3.x release train, though 4.x already upgraded: https://issues.apache.org/jira/browse/KARAF-4135. I pinged them about backporting the change. |
| Comments |
| Comment by Robert Varga [ 01/Aug/16 ] |
|
I think this was solved with the upgrade to 3.0.6 for Boron. |