Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739348 (CVE-2017-15708) - <dev-java/commons-collections-3.2.2: Unsafe deserialisation (CVE-2017-15708)
Summary: <dev-java/commons-collections-3.2.2: Unsafe deserialisation (CVE-2017-15708)
Status: RESOLVED FIXED
Alias: CVE-2017-15708
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://commons.apache.org/proper/com...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: 779490
  Show dependency tree
 
Reported: 2020-08-28 03:19 UTC by Sam James
Modified: 2021-07-16 04:14 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/commons-collections-3.2.2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-08-28 03:19:13 UTC
"This 3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580."

"Serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure."

Full change list: https://commons.apache.org/proper/commons-collections/changes-report.html#a3.2.2
Comment 1 Sam James archtester gentoo-dev Security 2020-08-28 03:19:39 UTC
Note that 4.x isn't vulnerable, but <3.2.2 is, so we need to bump to 3.2.2 here *or* just cleanup 3.x if possible.
Comment 2 Larry the Git Cow gentoo-dev 2021-04-21 09:33:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e90a6173247f06514731825677f3fc67c62bdc52

commit e90a6173247f06514731825677f3fc67c62bdc52
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-21 09:31:11 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-21 09:33:09 +0000

    dev-java/commons-collections: bump to 3.2.2
    
    Bug: https://bugs.gentoo.org/739348
    Closes: https://bugs.gentoo.org/784131
    Closes: https://bugs.gentoo.org/780153
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-collections/Manifest              |   1 +
 .../commons-collections-3.2.2.ebuild               |  67 +++++++
 .../files/commons-collections-3.2.2-fixes.patch    | 201 +++++++++++++++++++++
 3 files changed, 269 insertions(+)
Comment 3 Miroslav Šulc gentoo-dev 2021-04-21 09:36:02 UTC
it should be safe to stabilize
Comment 4 John Helmert III gentoo-dev Security 2021-04-21 12:35:45 UTC
Thanks!
Comment 5 Sam James archtester gentoo-dev Security 2021-04-21 18:51:52 UTC
amd64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-04-22 12:14:09 UTC
ppc64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-04-26 19:09:42 UTC
x86 done

all arches done
Comment 8 John Helmert III gentoo-dev Security 2021-04-26 23:43:19 UTC
Please cleanup
Comment 9 Larry the Git Cow gentoo-dev 2021-04-27 05:36:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a

commit c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-27 05:36:49 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-27 05:36:49 +0000

    dev-java/commons-collections: removed obsolete and vulnerable 3.2.1-r1
    
    Bug: https://bugs.gentoo.org/739348
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-collections/Manifest              |   1 -
 .../commons-collections-3.2.1-r1.ebuild            |  74 ----------
 .../files/commons-collections-3.2.1-Java-8.patch   | 160 ---------------------
 dev-java/commons-collections/metadata.xml          |   3 -
 4 files changed, 238 deletions(-)
Comment 10 Miroslav Šulc gentoo-dev 2021-04-27 05:37:19 UTC
the tree is clean now, you can proceed.
Comment 11 John Helmert III gentoo-dev Security 2021-07-14 23:32:42 UTC
GLSA request filed.
Comment 12 John Helmert III gentoo-dev Security 2021-07-14 23:34:47 UTC
GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-07-16 04:14:36 UTC
This issue was resolved and addressed in
 GLSA 202107-37 at https://security.gentoo.org/glsa/202107-37
by GLSA coordinator John Helmert III (ajak).