Hello all.
I think I understand now the situation on M2E. Thank you all for your time educating me a bit.
Since this problem doesn't affect M2E, in particular archetypes, I agree with all of you that this is not critical for the tools. However, I've opened this bugzilla as non-critical, I don't think the fix in the commons-collections affects M2E but seems good to have the latest version.
We are working with IBM's management to figure out a way to contribute this fix to Eclipse. My team mate Cesar will be in charge of this.
Regards
|
| |
| Victor Adrian Sosa Herrera | | ![]() |
| Software Engineer - Rational Application Developer | 2200 Camino A El Castillo |
| IBM Master Innovator | El Salto, 45680 |
| Mexico Software Lab | Mexico |
| C120 | |
| Q2 | |
| Phone: | +52-33-3669-7000 x3344 | |
| Mobile: | +52-1-33-1529-6494 | |
| e-mail: | victorsh@xxxxxxxxxxx | |
| Twitter | |
| DeveloperWorks blog | |
|
| |
| |
| |
----- Original message -----
From: Hervé BOUTEMY <herve.boutemy@xxxxxxx>
Sent by: m2e-users-bounces@xxxxxxxxxxx
To: Maven Integration for Eclipse users mailing list <m2e-users@xxxxxxxxxxx>
Cc:
Subject: Re: [m2e-users] Vulnerability problem found in M2E
Date: Wed, Nov 18, 2015 1:12 AM
Hi,
No, archetype doesn't use any object serialization/deserialization: everything
is done through descriptors written in XML and read with Modello.
So no, archetype won't trigger the serialization issue.
Of course, upgrading the lib for future m2e version will be a good thing, but
there is no hurry. Opening a Bugzilla issue IMHO is useful, just don't put it
"critical security fix": just good and easy upgrade to avoid future discussions
on the topic.
Regards,
Hervé
Le mardi 17 novembre 2015 21:49:43 Victor Adrian Sosa Herrera a écrit :
> Perhaps I didn't make myself clear.
>
> Yes, the problem is related on serialization of objects from untrusted
> sources. My understanding is that when you pull/create an archetype,
> there's some sort of serialization of such archetype, please correct me if
> wrong because this is a gray area to me.
> What I meant is that it doesn't matter whether you serialize or not using
> the commons-collections library, as long as you have it loaded in the
> classpath.
> If that's the case, then m2e is vulnerable. Can someone confirm my
> assumption, please?
> Thanks a lot
> Regards
>
>
> Victor Adrian Sosa Herrera
> Software Engineer - Rational Application Developer 2200 Camino A El
> Castillo IBM Master Innovator El Salto, 45680
> Mexico Software Lab Mexico
> C120
> Q2
> Phone: +52-33-3669-7000 x3344
> Mobile: +52-1-33-1529-6494
> e-mail: victorsh@xxxxxxxxxxx
> Twitter
> DeveloperWorks blog
>
>
>
>
>
>
> ----- Original message -----
> From: Matthew Piggott <mpiggott@xxxxxxxxxxxx>
> Sent by: m2e-users-bounces@xxxxxxxxxxx
> To: Maven Integration for Eclipse users mailing list <m2e-users@xxxxxxxxxxx>
> Cc:
> Subject: Re: [m2e-users] Vulnerability problem found in M2E
> Date: Tue, Nov 17, 2015 3:28 PM
>
> Unless you've got the wrong link, the commons vulnerability we've all seen
> is for deserializing objects from untrusted sources.
> On 17 November 2015 at 16:24, Victor Adrian Sosa Herrera
> <victorsh@xxxxxxxxxxx> wrote: Thank you for responding, Matthew.
>
> However, the problem depicted there is that it doesn't matter whether you're
> are serialzing/deserializing objects in runtime, having the JAR in the
> classpath is enough to get this exploitation on the job. Currently, m2e
> seems to be packaging this JAR in org.eclipse.m2e.archetype.common for both
> 1.4 and 1.5.
> The good news is that the Apache Commons team shipped yesterday a fix for
> 3.x version. You can grab it from here
> https://commons.apache.org/proper/commons-collections/download_collections.
> cgi
> For 4.x version, they are still working on it AFAIK.
>
> With that being said. Does this sound convincing enough to fix it in m2e?
> Even better, should I open a bugzilla to track this?
> Thanks again.
>
> Regards
>
>
> Victor Adrian Sosa Herrera
> Software Engineer - Rational Application Developer 2200 Camino A El
> Castillo IBM Master Innovator El Salto, 45680
> Mexico Software Lab Mexico
> C120
> Q2
> Phone: +52-33-3669-7000 x3344
> Mobile: +52-1-33-1529-6494
> e-mail: victorsh@xxxxxxxxxxx
> Twitter
> DeveloperWorks blog
>
>
>
>
>
>
> ----- Original message -----
> From: Matthew Piggott <mpiggott@xxxxxxxxxxxx>
> Sent by: m2e-users-bounces@xxxxxxxxxxx
> To: Maven Integration for Eclipse users mailing list <m2e-users@xxxxxxxxxxx>
> Cc:
> Subject: Re: [m2e-users] Vulnerability problem found in M2E
> Date: Tue, Nov 17, 2015 3:12 PM
>
> It seems unlikely m2e is affected by it.
>
> Its been a while but I don't recall m2e using class serialization
> internally. The bundle suggests the archetypes, I don't know if the maven
> archetypes use object serialization but since they can already result in
> arbitrary code being run on your system (via the generated pom) it doesn't
> seem an attack source.
>
> On 17 November 2015 at 16:05, Victor Adrian Sosa Herrera
> <victorsh@xxxxxxxxxxx> wrote: Hello Community.
>
> Throwing again this question to the table. Will this problem be fixed by m2e
> team?
> Thanks
>
> Regards
>
>
> Victor Adrian Sosa Herrera
> Software Engineer - Rational Application Developer 2200 Camino A El
> Castillo IBM Master Innovator El Salto, 45680
> Mexico Software Lab Mexico
> C120
> Q2
> Phone: +52-33-3669-7000 x3344
> Mobile: +52-1-33-1529-6494
> e-mail: victorsh@xxxxxxxxxxx
> Twitter
> DeveloperWorks blog
>
>
>
>
>
>
> ----- Original message -----
> From: Victor Adrian Sosa Herrera/Mexico/IBM
> To: m2e-users@xxxxxxxxxxx
> Cc:
> Subject: Vulnerability problem found in M2E
> Date: Mon, Nov 16, 2015 1:39 PM
>
> Hello community.
>
> On the past weeks, a security vulnerability was found in Apache Commons
> Collections library, particularly on versions 3.x and 4.x. You can see
> details here
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jen
> kins-opennms-and-your-application-have-in-common-this-vulnerability/
> The fix is on its way and tracked under this JIRA
> https://issues.apache.org/jira/browse/COLLECTIONS-580
>
> Now, I've been digging this a little bit and found that one M2E plugin is
> bundling this commons-collections.jar archive, at least on Eclipse Luna.
> Doing a quick search in the Eclipse installation I found this
> org.eclipse.m2e.archetype.common_1.5.0.20140605-2032/commons-collections-3.
> 2.jar
> Do you have any plans to patch this plugin with the updated library (once
> available)?
> Regards
>
>
> Victor Adrian Sosa Herrera
> Software Engineer - Rational Application Developer 2200 Camino A El
> Castillo IBM Master Innovator El Salto, 45680
> Mexico Software Lab Mexico
> C120
> Q2
> Phone: +52-33-3669-7000 x3344
> Mobile: +52-1-33-1529-6494
> e-mail: victorsh@xxxxxxxxxxx
> Twitter
> DeveloperWorks blog
>
>
>
>
>
>
>
> _______________________________________________
> m2e-users mailing list
> m2e-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
> _______________________________________________
> m2e-users mailing list
> m2e-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
>
>
>
> _______________________________________________
> m2e-users mailing list
> m2e-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
> _______________________________________________
> m2e-users mailing list
> m2e-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
>
_______________________________________________
m2e-users mailing list
m2e-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/m2e-users
