Mitigate CWE-502 in WF 9.0.2?

bjornwarmedal Dec 1, 2015 7:38 AM

I'm wondering how to mitigate this vulnerability (Vulnerability Note VU#576313 - Apache Commons Collections Java library insecurely deserializes data) in the latest release of WF. Can it be done without compiling from source?

Also, I couldn't find a bug report on this in the tracker, but maybe my search fu is just too weak?

1. Re: Mitigate CWE-502 in WF 9.0.2?

ctomc Dec 1, 2015 6:49 PM (in response to bjornwarmedal)

there is no direct exposure to CVE mentioned as WildFly doesn't provide jmx-invoker anymore.
for more details see https://access.redhat.com/solutions/2045023

Quickest solution would probably be to manually update common-collections jar in org.apache.commons.collections module
to version 3.2.2 that has issue resolved.
Actions