Why would an attacker rely on a deserialization bug when *as a matter of function* the archetype plugin results in arbitrary code run on your system? Its entirely redundant.
Heck, *every maven plugin* is arbitrary code downloaded & executed. On 17 November 2015 at 16:49, Victor Adrian Sosa Herrera < victo...@mx1.ibm.com> wrote: > Perhaps I didn't make myself clear. > > Yes, the problem is related on serialization of objects from untrusted > sources. My understanding is that when you pull/create an archetype, > there's some sort of serialization of such archetype, please correct me if > wrong because this is a gray area to me. > > What I meant is that it doesn't matter whether you serialize or not using > the commons-collections library, as long as you have it loaded in the > classpath. > > If that's the case, then m2e is vulnerable. Can someone confirm my > assumption, please? > > Thanks a lot > Regards > > ------------------------------ > *Victor Adrian Sosa Herrera* > <http://www.ibm.com/webaccessories/emailsig/i/ibm2.gif> Software Engineer > - Rational Application Developer 2200 Camino A El Castillo IBM Master > Innovator El Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: > +52-33-3669-7000 > x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com > Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog > <https://www.ibm.com/developerworks/community/blogs/victorsh> > ------------------------------ > > > > > > ----- Original message ----- > From: Matthew Piggott <mpigg...@sonatype.com> > Sent by: m2e-users-boun...@eclipse.org > To: Maven Integration for Eclipse users mailing list < > m2e-users@eclipse.org> > Cc: > Subject: Re: [m2e-users] Vulnerability problem found in M2E > Date: Tue, Nov 17, 2015 3:28 PM > > Unless you've got the wrong link, the commons vulnerability we've all seen > is for deserializing objects from untrusted sources. > > On 17 November 2015 at 16:24, Victor Adrian Sosa Herrera < > victo...@mx1.ibm.com> wrote: > > Thank you for responding, Matthew. > > However, the problem depicted there is that it doesn't matter whether > you're are serialzing/deserializing objects in runtime, having the JAR in > the classpath is enough to get this exploitation on the job. Currently, m2e > seems to be packaging this JAR in org.eclipse.m2e.archetype.common for both > 1.4 and 1.5. > > The good news is that the Apache Commons team shipped yesterday a fix for > 3.x version. You can grab it from here > https://commons.apache.org/proper/commons-collections/download_collections.cgi > > For 4.x version, they are still working on it AFAIK. > > With that being said. Does this sound convincing enough to fix it in m2e? > Even better, should I open a bugzilla to track this? > > Thanks again. > > Regards > > ------------------------------ > *Victor Adrian Sosa Herrera* Software Engineer - Rational > Application Developer 2200 Camino A El Castillo IBM Master Innovator El > Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: +52-33-3669-7000 > x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com > Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog > <https://www.ibm.com/developerworks/community/blogs/victorsh> > ------------------------------ > > > > > > ----- Original message ----- > From: Matthew Piggott <mpigg...@sonatype.com> > Sent by: m2e-users-boun...@eclipse.org > To: Maven Integration for Eclipse users mailing list < > m2e-users@eclipse.org> > Cc: > Subject: Re: [m2e-users] Vulnerability problem found in M2E > Date: Tue, Nov 17, 2015 3:12 PM > > It seems unlikely m2e is affected by it. > > Its been a while but I don't recall m2e using class serialization > internally. The bundle suggests the archetypes, I don't know if the maven > archetypes use object serialization but since they can already result in > arbitrary code being run on your system (via the generated pom) it doesn't > seem an attack source. > > > On 17 November 2015 at 16:05, Victor Adrian Sosa Herrera < > victo...@mx1.ibm.com> wrote: > > Hello Community. > > Throwing again this question to the table. Will this problem be fixed by > m2e team? > > Thanks > > Regards > > ------------------------------ > *Victor Adrian Sosa Herrera* Software Engineer - Rational > Application Developer 2200 Camino A El Castillo IBM Master Innovator El > Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: +52-33-3669-7000 > x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com > Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog > <https://www.ibm.com/developerworks/community/blogs/victorsh> > ------------------------------ > > > > > > ----- Original message ----- > From: Victor Adrian Sosa Herrera/Mexico/IBM > To: m2e-users@eclipse.org > Cc: > Subject: Vulnerability problem found in M2E > Date: Mon, Nov 16, 2015 1:39 PM > > Hello community. > > On the past weeks, a security vulnerability was found in Apache Commons > Collections library, particularly on versions 3.x and 4.x. You can see > details here > > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > > The fix is on its way and tracked under this JIRA > https://issues.apache.org/jira/browse/COLLECTIONS-580 > > Now, I've been digging this a little bit and found that one M2E plugin is > bundling this commons-collections.jar archive, at least on Eclipse Luna. > Doing a quick search in the Eclipse installation I found this > > org.eclipse.m2e.archetype.common_1.5.0.20140605-2032/commons-collections-3.2.jar > > Do you have any plans to patch this plugin with the updated library (once > available)? > > Regards > > ------------------------------ > *Victor Adrian Sosa Herrera* > <http://www.ibm.com/webaccessories/emailsig/i/ibm2.gif> Software Engineer > - Rational Application Developer 2200 Camino A El Castillo IBM Master > Innovator El Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: > +52-33-3669-7000 > x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com > Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog > <https://www.ibm.com/developerworks/community/blogs/victorsh> > ------------------------------ > > > > > > > _______________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users > > _______________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users > > > > > _______________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users > > _______________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users > > > > > _______________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users >
_______________________________________________ m2e-users mailing list m2e-users@eclipse.org To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
