ICEfaces
  1. ICEfaces
  2. ICE-10843

Mitigate Apache commons-collections library zero-day exploit.

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-1.8.2.GA_P03, EE-3.0.0.GA, EE-3.3.0.GA_P03, EE-1.8.2.GA_P08
    • Component/s: ICE-Components
    • Labels:
      None
    • Environment:
      ICEfaces ICE / Compat components, Apache commons library.
    • Assignee Priority:
      P1
    • Affects:
      Compatibility/Configuration

      Description

      The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.

      A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

      EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580

      This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).

      Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.

        Activity

        Hide
        Ken Fyten added a comment -

        Assigned to Art to factor out the apache commons library usage in IF 4.1 and EE 3.3 P04.

        Show
        Ken Fyten added a comment - Assigned to Art to factor out the apache commons library usage in IF 4.1 and EE 3.3 P04.
        Hide
        Carlo Guglielmin added a comment -

        I updated:
        http://dev.icesoft.com/svn/ossrepo/icefaces4/trunk/icefaces/samples/showcase
        http://dev.icesoft.com/svn/ossrepo/icefaces-ee/branches/icefaces-ee-3.3.0.GA-maintenance/icefaces/samples/showcase

        They no longer required Apache Commons Collection to build or compile. Part of this meant modifying the source code loader, which no longer uses
        org.icefaces.samples.showcase.MAX_SOURCE_CACHE_SIZE as a result.

        Show
        Carlo Guglielmin added a comment - I updated: http://dev.icesoft.com/svn/ossrepo/icefaces4/trunk/icefaces/samples/showcase http://dev.icesoft.com/svn/ossrepo/icefaces-ee/branches/icefaces-ee-3.3.0.GA-maintenance/icefaces/samples/showcase They no longer required Apache Commons Collection to build or compile. Part of this meant modifying the source code loader, which no longer uses org.icefaces.samples.showcase.MAX_SOURCE_CACHE_SIZE as a result.
        Hide
        Ken Fyten added a comment -

        Removed commons-collections.jar from repository, updated maven pom to remove the dependency, and remove it from versions-licenses.html on icefaces 4 trunk, 4.1 tag, and icefaces 3.3. maintenance branch (svn rvn# 46895).

        Show
        Ken Fyten added a comment - Removed commons-collections.jar from repository, updated maven pom to remove the dependency, and remove it from versions-licenses.html on icefaces 4 trunk, 4.1 tag, and icefaces 3.3. maintenance branch (svn rvn# 46895).
        Hide
        Ken Fyten added a comment -

        Removed commons-collections.jar from icefaces1.8 maintenance repo. (svn rvn# 46898)

        Show
        Ken Fyten added a comment - Removed commons-collections.jar from icefaces1.8 maintenance repo. (svn rvn# 46898)
        Hide
        Ken Fyten added a comment -

        Re-opened as it has been determined that the ICEfaces EE 1.8.2.GA Composite Components, and their showcase sample both depend on the apache commons-beansutils.jar, which in turn depends on the apache commons-collections.jar, so simply removing that jar from the bundle is not sufficient.

        Show
        Ken Fyten added a comment - Re-opened as it has been determined that the ICEfaces EE 1.8.2.GA Composite Components, and their showcase sample both depend on the apache commons-beansutils.jar, which in turn depends on the apache commons-collections.jar, so simply removing that jar from the bundle is not sufficient.
        Hide
        Ken Fyten added a comment -

        Turns out Apache finally resolved this issue via new commons-collections library releases.

        Re-instated the commons-collections.jar for ICEfaces 1.8.2.EE_P09, using the 3.2.2 release. This release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. Serialization support for unsafe classes in the functor package has been completely removed (classes do not implement the Serializable interface anymore).

        Show
        Ken Fyten added a comment - Turns out Apache finally resolved this issue via new commons-collections library releases. Re-instated the commons-collections.jar for ICEfaces 1.8.2.EE_P09, using the 3.2.2 release. This release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. Serialization support for unsafe classes in the functor package has been completely removed (classes do not implement the Serializable interface anymore).

          People

          • Assignee:
            Ken Fyten
            Reporter:
            Ken Fyten
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: