Author: tn
Date: Sat Nov 21 09:51:39 2015
New Revision: 1715489
URL: http://svn.apache.org/viewvc?rev=1715489&view=rev
Log:
Add security report.
Added:
commons/proper/collections/trunk/src/site/xdoc/security-reports.xml (with
props)
Modified:
commons/proper/collections/trunk/src/site/site.xml
Modified: commons/proper/collections/trunk/src/site/site.xml
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/site/site.xml?rev=1715489&r1=1715488&r2=1715489&view=diff
==============================================================================
--- commons/proper/collections/trunk/src/site/site.xml (original)
+++ commons/proper/collections/trunk/src/site/site.xml Sat Nov 21 09:51:39 2015
@@ -24,15 +24,16 @@
<body>
<menu name="Collections">
- <item name="Overview" href="/index.html"/>
- <item name="Download" href="/download_collections.cgi"/>
- <item name="Users guide" href="/userguide.html"/>
- <item name="History" href="/history.html"/>
- <item name="Release Notes v4.0" href="/release_4_0.html"/>
+ <item name="Overview" href="/index.html"/>
+ <item name="Download"
href="/download_collections.cgi"/>
+ <item name="Security Reports" href="/security-reports.html"/>
+ <item name="Users guide" href="/userguide.html"/>
+ <item name="History" href="/history.html"/>
+ <item name="Release Notes v4.0" href="/release_4_0.html"/>
<item name="Release Notes v3.2.2" href="/release_3_2_2.html"/>
- <item name="Javadoc v4.1"
href="/javadocs/api-release/index.html"/>
- <item name="Javadoc v4.0"
href="/javadocs/api-4.0/index.html"/>
- <item name="Javadoc v3.2.2"
href="/javadocs/api-3.2.2/index.html"/>
+ <item name="Javadoc v4.1"
href="/javadocs/api-release/index.html"/>
+ <item name="Javadoc v4.0"
href="/javadocs/api-4.0/index.html"/>
+ <item name="Javadoc v3.2.2"
href="/javadocs/api-3.2.2/index.html"/>
</menu>
<menu name="Development">
Added: commons/proper/collections/trunk/src/site/xdoc/security-reports.xml
URL:
http://svn.apache.org/viewvc/commons/proper/collections/trunk/src/site/xdoc/security-reports.xml?rev=1715489&view=auto
==============================================================================
--- commons/proper/collections/trunk/src/site/xdoc/security-reports.xml (added)
+++ commons/proper/collections/trunk/src/site/xdoc/security-reports.xml Sat Nov
21 09:51:39 2015
@@ -0,0 +1,111 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Commons Collections Security Reports</title>
+ <author email="d...@commons.apache.org">Commons Documentation
Team</author>
+ </properties>
+ <body>
+ <section name="General Information">
+ <p>For information about reporting or asking questions about
+ security problems, please see the <a
+ href="http://commons.apache.org/security.html";>security page
+ of the Commons project</a>.</p>
+ </section>
+
+ <section name="Apache Commons Collections Security Vulnerabilities">
+ <p>This page lists all security vulnerabilities fixed in
+ released versions of Apache Commons Collections. Each
+ vulnerability is given a security impact rating by the
+ development team - please note that this rating may vary from
+ platform to platform. We also list the versions of Commons
+ Collections the flaw is known to affect, and where a flaw has not
+ been verified list the version with a question mark.</p>
+
+ <p>Please note that binary patches are never provided. If you
+ need to apply a source code patch, use the building
+ instructions for the Commons Collections version that you are
+ using.</p>
+
+ <p>If you need help on building Commons Collections or other help
+ on following the instructions to mitigate the known
+ vulnerabilities listed here, please send your questions to the
+ public <a href="mail-lists.html">Collections Users mailing
+ list</a>.</p>
+
+ <p>If you have encountered an unlisted security vulnerability
+ or other unexpected behaviour that has security impact, or if
+ the descriptions here are incomplete, please report them
+ privately to the Apache Security Team. Thank you.</p>
+
+ <subsection name="Fixed in Apache Commons Collections 3.2.2/4.1">
+ <p><b>High: Remote Code Execution during object
de-serialization</b></p>
+
+ <p>The Apache Commons Collections library contains various classes
+ in the "functor" package which are serializable and use reflection.
+ This can be exploited for remote code execution attacks by injecting
+ specially crafted objects to applications that de-serialize
+ java objects from untrusted sources and have the Apache Commons
Collections
+ library in their classpath and do not perform any kind of input
+ validation.</p>
+
+ <p>The implemented fix can be tracked via its related issue
+ <a
href="https://issues.apache.org/jira/browse/COLLECTIONS-580";>COLLECTIONS-580</a>:</p>
+
+ <ul>
+ <li><b>3.2.2</b>: de-serialization of unsafe classes in the
functor package
+ will trigger an "UnsupportedOperationException" by default. In
order to re-enable
+ the previous behavior, the system property
+ "org.apache.commons.collections.enableUnsafeSerialization" has
to be set to "true".</li>
+ <li><b>4.1</b>: de-serialization support for unsafe classes in the
functor package
+ has been completely removed (unsafe classes do not implement
Serializable anymore).</li>
+ </ul>
+
+ <p>The potential exploit was first presented at AppSecCali2015 [3]
on 28 January 2015 by
+ Gabriel Lawrence and Chris Frohoff. Based on these exploits, Stephen
Breen published
+ on 06 November 2015 attack scenarios [4] for various products like
WebSphere, JBoss, Jenkins,
+ WebLogic, and OpenNMS. The Security team was <b>not</b> informed
about these security
+ problems prior to their publication. No CVE id was assigned for the
Apache Commons
+ Collections library, please refer to [1] or [2] for more information
about the general
+ problem with Java serialization.</p>
+
+ <p>Affects: 3.0 - 4.0</p>
+
+ <p>Related links:</p>
+
+ <ol>
+ <li>Vulnerability Report for Oracle Weblogic Server:
+ <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852";>CVE-2015-4852</a></li>
+ <li>Apache Commons
+ <a
href="https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread";>statement</a>
+ to widespread Java object de-serialisation vulnerability</li>
+ <li><a
href="http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles";>
+ Presentation</a> @ AppSecCali2015 by Lawrence and Frohoff</li>
+ <li><a
href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability";>Attack
scenarios</a>
+ for various products by Stephen Breen</li>
+ </ol>
+
+ </subsection>
+ </section>
+
+ <section name="Errors and Ommissions">
+ <p>Please report any errors or omissions to <a
+ href="mail-lists.html">the dev mailing list</a>.</p>
+ </section>
+ </body>
+</document>
Propchange: commons/proper/collections/trunk/src/site/xdoc/security-reports.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: commons/proper/collections/trunk/src/site/xdoc/security-reports.xml
------------------------------------------------------------------------------
svn:keywords = Id Revision HeadURL
Propchange: commons/proper/collections/trunk/src/site/xdoc/security-reports.xml
------------------------------------------------------------------------------
svn:mime-type = text/xml
