ICEfaces
  1. ICEfaces
  2. ICE-10843

Mitigate Apache commons-collections library zero-day exploit.

          Details

          • Type: Improvement Improvement
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-1.8.2.GA_P03, EE-3.0.0.GA, EE-3.3.0.GA_P03, EE-1.8.2.GA_P08
          • Fix Version/s: 4.1, EE-3.3.0.GA_P04, EE-1.8.2.GA_P09
          • Component/s: ICE-Components
          • Labels:
            None
          • Environment:
            ICEfaces ICE / Compat components, Apache commons library.
          • Assignee Priority:
            P1
          • Affects:
            Compatibility/Configuration

            Description

            The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.

            A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

            EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580

            This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).

            Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.

              Activity

              Ascending order - Click to sort in descending order
              Ken Fyten created issue -
              Ken Fyten made changes -
              Field Original Value New Value
              Fix Version/s EE-3.3.0.GA_P04 [ 12270 ]
              Fix Version/s EE-1.8.2.GA_P09 [ 12470 ]
              Ken Fyten made changes -
              Assignee Ken Fyten [ ken.fyten ]
              Ken Fyten made changes -
              Assignee Ken Fyten [ ken.fyten ] Arturo Zambrano [ artzambrano ]
              Fix Version/s 4.1 [ 11375 ]
              Assignee Priority P2 [ 10011 ]
              Ken Fyten made changes -
              Issue Type Task [ 3 ] Improvement [ 4 ]
              Ken Fyten made changes -
              Assignee Arturo Zambrano [ artzambrano ] Carlo Guglielmin [ carlo.guglielmin ]
              Ken Fyten made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Affects Compatibility/Configuration [ 10002 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Resolution Fixed [ 1 ]
              Status Resolved [ 5 ] Reopened [ 4 ]
              Assignee Carlo Guglielmin [ carlo.guglielmin ] Ken Fyten [ ken.fyten ]
              Assignee Priority P2 [ 10011 ] P1 [ 10010 ]
              Ken Fyten made changes -
              Description The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.

              A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

              This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).

              Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.               		The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.

              A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

              EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580

              This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).

              Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.
              Ken Fyten made changes -
              Status Reopened [ 4 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Ken Fyten
                  Reporter:
                  Ken Fyten
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: