[CONFSERVER-40130] Upgrade to version 3.2.2 of apache commons-collections

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.9.3, 6.0.0-OD-2016.01
Affects Version/s: 5.8.17
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580.

https://commons.apache.org/proper/commons-collections/release_3_2_2.html

is related to

JRASERVER-47638 Upgrade to version 3.2.2 of apache commons-collections

Closed

relates to

CONFSERVER-39919 InvokerTransformer vulnerability

Closed

included in

CPU-179 Confluence 6.0.0-OD-2016.01.1-0002

CPU-180 Confluence 6.0.0-OD-2016.01.1-0003

mentioned in: Page Failed to load

David Black added a comment - 29/Dec/2015 9:37 AM - edited

The commons-collections exploitation is rated as a level 9 threat by tools such as Sonatype Nexus Pro. It's great that the issue has been promptly fixed in Confluence, but shouldn't the priority be rated as major or critical? This would help support people when it comes to deciding whether they need to upgrade to v5.9.3 now - or wait for v5.9.4,

msymons we have not treated upgrading the version of commons-collections as critical because only Confluence instances with a Data Center license are vulnerable through Hazelcast, which is used for clustering, and by default listens on port 5801. Ensure that you only permit cluster nodes to connect to a Confluence Data Center instance's Hazelcast port through the use of a firewall and/or network segregation.

David Black added a comment - 29/Dec/2015 9:37 AM - edited The commons-collections exploitation is rated as a level 9 threat by tools such as Sonatype Nexus Pro. It's great that the issue has been promptly fixed in Confluence, but shouldn't the priority be rated as major or critical? This would help support people when it comes to deciding whether they need to upgrade to v5.9.3 now - or wait for v5.9.4, msymons we have not treated upgrading the version of commons-collections as critical because only Confluence instances with a Data Center license are vulnerable through Hazelcast , which is used for clustering, and by default listens on port 5801. Ensure that you only permit cluster nodes to connect to a Confluence Data Center instance's Hazelcast port through the use of a firewall and/or network segregation.

Deleted Account (Inactive) added a comment - 29/Dec/2015 12:23 AM

This issue is mentioned in commits included in the Confluence 6.0.0-OD-2016.01.1-0003 release being approved for production: CPU-180

Deleted Account (Inactive) added a comment - 29/Dec/2015 12:23 AM This issue is mentioned in commits included in the Confluence 6.0.0-OD-2016.01.1-0003 release being approved for production: CPU-180

Mark Symons added a comment - 24/Dec/2015 10:41 AM

The commons-collections exploitation is rated as a level 9 threat by tools such as Sonatype Nexus Pro. It's great that the issue has been promptly fixed in Confluence, but shouldn't the priority be rated as major or critical? This would help support people when it comes to deciding whether they need to upgrade to v5.9.3 now - or wait for v5.9.4,

Mark Symons added a comment - 24/Dec/2015 10:41 AM The commons-collections exploitation is rated as a level 9 threat by tools such as Sonatype Nexus Pro. It's great that the issue has been promptly fixed in Confluence, but shouldn't the priority be rated as major or critical? This would help support people when it comes to deciding whether they need to upgrade to v5.9.3 now - or wait for v5.9.4,

Deleted Account (Inactive) added a comment - 23/Dec/2015 9:36 PM

This issue is mentioned in commits included in the Confluence 6.0.0-OD-2016.01.1-0002 release being approved for production: CPU-179

Deleted Account (Inactive) added a comment - 23/Dec/2015 9:36 PM This issue is mentioned in commits included in the Confluence 6.0.0-OD-2016.01.1-0002 release being approved for production: CPU-179

Assignee:: Feng Xu (Inactive)

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 04/Dec/2015 6:12 AM

Updated:: 11/Oct/2018 8:59 AM

Resolved:: 15/Dec/2015 12:26 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: David Black added a comment - 29/Dec/2015 9:37 AM, Edited by David Black - 29/Dec/2015 9:38 AM

Expand comment: David Black added a comment - 29/Dec/2015 9:37 AM, Edited by David Black - 29/Dec/2015 9:38 AM

Collapse comment: Deleted Account (Inactive) added a comment - 29/Dec/2015 12:23 AM

Expand comment: Deleted Account (Inactive) added a comment - 29/Dec/2015 12:23 AM

Collapse comment: Mark Symons added a comment - 24/Dec/2015 10:41 AM

Expand comment: Mark Symons added a comment - 24/Dec/2015 10:41 AM

Collapse comment: Deleted Account (Inactive) added a comment - 23/Dec/2015 9:36 PM

Expand comment: Deleted Account (Inactive) added a comment - 23/Dec/2015 9:36 PM

People

Dates