Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-1.8.2.GA_P03, EE-3.0.0.GA, EE-3.3.0.GA_P03, EE-1.8.2.GA_P08
-
Fix Version/s: 4.1, EE-3.3.0.GA_P04, EE-1.8.2.GA_P09
-
Component/s: ICE-Components
-
Labels:None
-
Environment:ICEfaces ICE / Compat components, Apache commons library.
-
Assignee Priority:P1
-
Affects:Compatibility/Configuration
Description
A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580
This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).
Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Re-opened as it has been determined that the ICEfaces EE 1.8.2.GA Composite Components, and their showcase sample both depend on the apache commons-beansutils.jar, which in turn depends on the apache commons-collections.jar, so simply removing that jar from the bundle is not sufficient.
Removed commons-collections.jar from icefaces1.8 maintenance repo. (svn rvn# 46898)
Removed commons-collections.jar from repository, updated maven pom to remove the dependency, and remove it from versions-licenses.html on icefaces 4 trunk, 4.1 tag, and icefaces 3.3. maintenance branch (svn rvn# 46895).
I updated:
http://dev.icesoft.com/svn/ossrepo/icefaces4/trunk/icefaces/samples/showcase
http://dev.icesoft.com/svn/ossrepo/icefaces-ee/branches/icefaces-ee-3.3.0.GA-maintenance/icefaces/samples/showcase
They no longer required Apache Commons Collection to build or compile. Part of this meant modifying the source code loader, which no longer uses
org.icefaces.samples.showcase.MAX_SOURCE_CACHE_SIZE as a result.
Turns out Apache finally resolved this issue via new commons-collections library releases.
Re-instated the commons-collections.jar for ICEfaces 1.8.2.EE_P09, using the 3.2.2 release. This release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. Serialization support for unsafe classes in the functor package has been completely removed (classes do not implement the Serializable interface anymore).