https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/CONTROLLER-1454 controller <p>A vulnerability in commons-collections was recently discovered:</p> <p><a href="https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852" class="external-link" target="_blank" rel="nofollow noopener">https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852</a><br/> <a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#commons" class="external-link" target="_blank" rel="nofollow noopener">http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#commons</a></p> <p>OpenDaylight does not appear to expose any vector for deserializing arbitrary user-supplied content, therefore this vulnerability is not exploitable on OpenDaylight. As a hardening measure, we should consume a patched version of the library.</p> <p>Randy Randhawa noted:</p> <p>Looking into Beryllium sources, the only reference to commons-collections I can find is Karaf’s org.apache.karaf.demos.my-kar. Karaf still pulls in commons-collections 3.2.1 in the 3.x release train, though 4.x already upgraded: <a href="https://issues.apache.org/jira/browse/KARAF-4135" class="external-link" target="_blank" rel="nofollow noopener">https://issues.apache.org/jira/browse/KARAF-4135</a>. I pinged them about backporting the change.</p> <p>Operating System: All<br/> Platform: All</p> CONTROLLER-1454

[SECURITY] Upgrade commons-collections as a hardening measure

Bug Resolved Done Unassigned David Jorm Tue, 24 Nov 2015 15:29:44 +0000 Thu, 19 Oct 2017 21:27:00 +0000 Mon, 1 Aug 2016 13:54:59 +0000 Beryllium karaf 0 1 <p>I think this was solved with the upgrade to 3.0.6 for Boron.</p> Development External issue ID 4668 External issue URL Issue Type ODL SR Target Milestone Rank 0|i02qo7: