[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] Question on commons-collections dependencies

Hi All:

You may have seen the recent news about deserializing random streams via commons-collections [1] and how this can lead to remote exploits. While it seems pretty unlikely that eclipse is vulnerable to this, it's worth noting that commons-collections is a requirement of org.eclipse.jpt.jpa, and possibly other bundles in various distributions.

I may be misunderstanding the issue, but as I understand it, simply having the jar on the classpath isn't enough to exploit. Instead, you must actually be either 1) using the library to deserialize some persisted (untrusted) java object, or 2) be exposing ports and accepting arbitrary serialized data and then deserializing it.

So the question is, do any eclipse distributions (classic, jee, etc) have any reason to open ports and accept remote connections and blindly deserialize the data?

- Rob Stryker

[1] http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/