Thanks for sending this, Rene. In the future, please send issues like this to secur...@cloudstack.apache.org<mailto:secur...@cloudstack.apache.org>.
We’re looking things over, and will have further comments after review. John On Nov 10, 2015, at 6:07 AM, Rene Moser <m...@renemoser.net<mailto:m...@renemoser.net>> wrote: Hi This security issue came to my attention: https://issues.apache.org/jira/browse/COLLECTIONS-580 See http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ for more background information. I am not sure if cloudstack is affected, at least we have dependency to this vulnerable lib: $ grep -Rl InvokerTransformer . ./plugins/hypervisors/kvm/target/dependencies/commons-collections-3.2.1.jar ./client/target/cloud-client-ui-4.5.2.war ./client/target/cloud-client-ui-4.5.2/WEB-INF/lib/commons-collections-3.2.1.jar ./usage/target/dependencies/commons-collections-3.2.1.jar ./agent/target/dependencies/commons-collections-3.2.jar ./engine/service/target/engine/WEB-INF/lib/commons-collections-3.2.jar Thanks for clarification. Yours René
