Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-1.8.2.GA_P03, EE-3.0.0.GA, EE-3.3.0.GA_P03, EE-1.8.2.GA_P08
-
Fix Version/s: 4.1, EE-3.3.0.GA_P04, EE-1.8.2.GA_P09
-
Component/s: ICE-Components
-
Labels:None
-
Environment:ICEfaces ICE / Compat components, Apache commons library.
-
Assignee Priority:P1
-
Affects:Compatibility/Configuration
Description
The ICEfaces EE 3.2.0+ and EE 1.8.2.GA+ releases redistribute the apache-commons library which is required by the ICE components.
A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580
This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).
Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.
A new zero-day insecure deserialization exploit was found in the Apache commons library. This exploit is documented here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
EDIT: Official Apache issue: https://issues.apache.org/jira/browse/COLLECTIONS-580
This JIRA is to implement an updated/patched Apache commons library for the current EE 3.3 and EE 1.8.2 maintenance branches to be included in the next releases (and patched to customers as needed on older releases).
Note that ICEfaces 4.0 / EE 4.0 does not use the Apache commons library, though we do redistribute it in support of the MyFaces JSF runtime, which requires it. MyFaces will be updated via a separate JIRA once they provide a patched release of their own.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion