ICEfaces
  1. ICEfaces
  2. ICE-10843

Mitigate Apache commons-collections library zero-day exploit.

          Details

          • Type: Improvement Improvement
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-1.8.2.GA_P03, EE-3.0.0.GA, EE-3.3.0.GA_P03, EE-1.8.2.GA_P08
          • Fix Version/s: 4.1, EE-3.3.0.GA_P04, EE-1.8.2.GA_P09
          • Component/s: ICE-Components
          • Labels:
            None
          • Environment:
            ICEfaces ICE / Compat components, Apache commons library.
          • Assignee Priority:
            P1
          • Affects:
            Compatibility/Configuration

            Description

            The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.

            A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

            EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580

            This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).

            Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.

              Activity

              Ascending order - Click to sort in descending order
              Ken Fyten created issue -
              Ken Fyten made changes -
              Field Original Value New Value
              Fix Version/s EE-3.3.0.GA_P04 [ 12270 ]
              Fix Version/s EE-1.8.2.GA_P09 [ 12470 ]
              Ken Fyten made changes -
              Assignee Ken Fyten [ ken.fyten ]
              Hide
              Permalink
              Ken Fyten added a comment -

              Assigned to Art to factor out the apache commons library usage in IF 4.1 and EE 3.3 P04.

              Show
              Ken Fyten added a comment - Assigned to Art to factor out the apache commons library usage in IF 4.1 and EE 3.3 P04.
              Ken Fyten made changes -
              Assignee Ken Fyten [ ken.fyten ] Arturo Zambrano [ artzambrano ]
              Fix Version/s 4.1 [ 11375 ]
              Assignee Priority P2 [ 10011 ]
              Ken Fyten made changes -
              Issue Type Task [ 3 ] Improvement [ 4 ]
              Ken Fyten made changes -
              Assignee Arturo Zambrano [ artzambrano ] Carlo Guglielmin [ carlo.guglielmin ]
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #46562 Thu Dec 17 10:56:55 MST 2015 carlo.guglielmin ICE-10843 - Removed dependency on Apache Commons Collection related to an exploit in their deserialization approach. This meant using an alternative approach to getting an enumeration in LocationNodeImpl, and more importantly rewriting the source code cacher to use a LinkedHashMap instead of a TreeBidiMap
              Files Changed
              Commit graph MODIFY /icefaces4/trunk/icefaces/samples/showcase/showcase/src/main/java/org/icefaces/samples/showcase/example/ace/tree/LocationNodeImpl.java
              Commit graph MODIFY /icefaces4/trunk/icefaces/samples/showcase/showcase/src/main/java/org/icefaces/samples/showcase/util/SourceCodeLoaderConnection.java
              Hide
              Permalink
              Carlo Guglielmin added a comment -

              I updated:
              http://dev.icesoft.com/svn/ossrepo/icefaces4/trunk/icefaces/samples/showcase
              http://dev.icesoft.com/svn/ossrepo/icefaces-ee/branches/icefaces-ee-3.3.0.GA-maintenance/icefaces/samples/showcase

              They no longer required Apache Commons Collection to build or compile. Part of this meant modifying the source code loader, which no longer uses
              org.icefaces.samples.showcase.MAX_SOURCE_CACHE_SIZE as a result.

              Show
              Carlo Guglielmin added a comment - I updated: http://dev.icesoft.com/svn/ossrepo/icefaces4/trunk/icefaces/samples/showcase http://dev.icesoft.com/svn/ossrepo/icefaces-ee/branches/icefaces-ee-3.3.0.GA-maintenance/icefaces/samples/showcase They no longer required Apache Commons Collection to build or compile. Part of this meant modifying the source code loader, which no longer uses org.icefaces.samples.showcase.MAX_SOURCE_CACHE_SIZE as a result.
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #46889 Fri Dec 18 10:52:26 MST 2015 ken.fyten ICE-10843 - Removed apache commons-collections.jar dependency and jar from repository and bundle builds.
              Files Changed
              Commit graph MODIFY /icefaces4/trunk/icefaces/samples/showcase/pom.xml
              Commit graph DEL /icefaces4/trunk/icefaces/samples/showcase/showcase/lib/commons-collections.jar
              Commit graph MODIFY /icefaces4/trunk/icefaces/samples/core/test/mojarra-tests/trunk/mods/common.xml
              Commit graph MODIFY /icefaces4/trunk/icefaces/lib/versions-licenses.html
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #46890 Fri Dec 18 10:56:27 MST 2015 ken.fyten ICE-10843 - Removed apache commons-collections.jar dependency and jar from repository and bundle builds.
              Files Changed
              Commit graph MODIFY /icefaces4/tags/icefaces-4.1.0/icefaces/lib/versions-licenses.html
              Commit graph MODIFY /icefaces4/tags/icefaces-4.1.0/icefaces/samples/core/test/mojarra-tests/trunk/mods/common.xml
              Commit graph DEL /icefaces4/tags/icefaces-4.1.0/icefaces/samples/showcase/showcase/lib/commons-collections.jar
              Commit graph MODIFY /icefaces4/tags/icefaces-4.1.0/icefaces/samples/showcase/pom.xml
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #46891 Fri Dec 18 11:01:16 MST 2015 ken.fyten ICE-10843 - Removed apache commons-collections.jar dependency and jar from repository and bundle builds.
              Files Changed
              Commit graph MODIFY /icefaces4/tags/icefaces-4.1.0/icefaces/samples/showcase/showcase/src/main/java/org/icefaces/samples/showcase/util/SourceCodeLoaderConnection.java
              Commit graph MODIFY /icefaces4/tags/icefaces-4.1.0/icefaces/samples/showcase/showcase/src/main/java/org/icefaces/samples/showcase/example/ace/tree/LocationNodeImpl.java
              Hide
              Permalink
              Ken Fyten added a comment -

              Removed commons-collections.jar from repository, updated maven pom to remove the dependency, and remove it from versions-licenses.html on icefaces 4 trunk, 4.1 tag, and icefaces 3.3. maintenance branch (svn rvn# 46895).

              Show
              Ken Fyten added a comment - Removed commons-collections.jar from repository, updated maven pom to remove the dependency, and remove it from versions-licenses.html on icefaces 4 trunk, 4.1 tag, and icefaces 3.3. maintenance branch (svn rvn# 46895).
              Hide
              Permalink
              Ken Fyten added a comment -

              Removed commons-collections.jar from icefaces1.8 maintenance repo. (svn rvn# 46898)

              Show
              Ken Fyten added a comment - Removed commons-collections.jar from icefaces1.8 maintenance repo. (svn rvn# 46898)
              Ken Fyten made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Affects Compatibility/Configuration [ 10002 ]
              Resolution Fixed [ 1 ]
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #46898 Fri Dec 18 13:48:25 MST 2015 ken.fyten ICE-10843 - Removed apache commons-collections.jar jar from repository.
              Files Changed
              Commit graph DEL /icefaces/trunk/icefaces/lib/commons-collections.jar
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #49400 Mon Oct 24 15:47:58 MDT 2016 ken.fyten ICE-10843 - Removed commons-collections dependency from pom files.
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/maven2/poms/just-ice.pom
              Commit graph MODIFY /icefaces/trunk/icefaces/maven2/poms/icefaces.pom
              Hide
              Permalink
              Ken Fyten added a comment -

              Re-opened as it has been determined that the ICEfaces EE 1.8.2.GA Composite Components, and their showcase sample both depend on the apache commons-beansutils.jar, which in turn depends on the apache commons-collections.jar, so simply removing that jar from the bundle is not sufficient.

              Show
              Ken Fyten added a comment - Re-opened as it has been determined that the ICEfaces EE 1.8.2.GA Composite Components, and their showcase sample both depend on the apache commons-beansutils.jar, which in turn depends on the apache commons-collections.jar, so simply removing that jar from the bundle is not sufficient.
              Ken Fyten made changes -
              Resolution Fixed [ 1 ]
              Status Resolved [ 5 ] Reopened [ 4 ]
              Assignee Carlo Guglielmin [ carlo.guglielmin ] Ken Fyten [ ken.fyten ]
              Assignee Priority P2 [ 10011 ] P1 [ 10010 ]
              Ken Fyten made changes -
              Description The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.

              A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

              This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).

              Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.               		The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.

              A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

              EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580

              This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).

              Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.
              Hide
              Permalink
              Ken Fyten added a comment -

              Turns out Apache finally resolved this issue via new commons-collections library releases.

              Re-instated the commons-collections.jar for ICEfaces 1.8.2.EE_P09, using the 3.2.2 release. This release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. Serialization support for unsafe classes in the functor package has been completely removed (classes do not implement the Serializable interface anymore).

              Show
              Ken Fyten added a comment - Turns out Apache finally resolved this issue via new commons-collections library releases. Re-instated the commons-collections.jar for ICEfaces 1.8.2.EE_P09, using the 3.2.2 release. This release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. Serialization support for unsafe classes in the functor package has been completely removed (classes do not implement the Serializable interface anymore).
              Ken Fyten made changes -
              Status Reopened [ 4 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Ken Fyten
                  Reporter:
                  Ken Fyten
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: