m2e doesn't deserialize anything from remote connections (doesn't even rely on commons-collections for deserializing it's local state). The archetype plugin simply downloads xml and jars, I'm not aware it uses the deserialization mechanism either. I don't believe, unless proven otherwise, that m2e is affected by that particular vulnerability.
With that said, I'm fine updating to a non-vulnerable commons-collections version (3.2.2). Please open a bug in [1]. And if you want to provide a patch, have at it [1][2]:-) Fred [1] https://bugs.eclipse.org/bugs/enter_bug.cgi?product=m2e [2] https://www.eclipse.org/m2e/documentation/m2e-development-environment.html#submitting-patches [3] http://git.eclipse.org/c/m2e/m2e-core.git/tree/m2e-maven-runtime/org.eclipse.m2e.archetype.common/pom.xml#n28 On Tue, Nov 17, 2015 at 5:07 PM, Matthew Piggott <mpigg...@sonatype.com> wrote: > Why would an attacker rely on a deserialization bug when *as a matter of > function* the archetype plugin results in arbitrary code run on your > system? Its entirely redundant. > > Heck, *every maven plugin* is arbitrary code downloaded & executed. > > On 17 November 2015 at 16:49, Victor Adrian Sosa Herrera < > victo...@mx1.ibm.com> wrote: > >> Perhaps I didn't make myself clear. >> >> Yes, the problem is related on serialization of objects from untrusted >> sources. My understanding is that when you pull/create an archetype, >> there's some sort of serialization of such archetype, please correct me if >> wrong because this is a gray area to me. >> >> What I meant is that it doesn't matter whether you serialize or not using >> the commons-collections library, as long as you have it loaded in the >> classpath. >> >> If that's the case, then m2e is vulnerable. Can someone confirm my >> assumption, please? >> >> Thanks a lot >> Regards >> >> ------------------------------ >> *Victor Adrian Sosa Herrera* >> <http://www.ibm.com/webaccessories/emailsig/i/ibm2.gif> Software >> Engineer - Rational Application Developer 2200 Camino A El Castillo IBM >> Master Innovator El Salto, 45680 Mexico Software Lab Mexico C120 Q2 >> Phone: +52-33-3669-7000 x3344 Mobile: +52-1-33-1529-6494 e-mail: >> victo...@mx1.ibm.com Twitter <https://twitter.com/sosah_victor> >> DeveloperWorks >> blog <https://www.ibm.com/developerworks/community/blogs/victorsh> >> ------------------------------ >> >> >> >> >> >> ----- Original message ----- >> From: Matthew Piggott <mpigg...@sonatype.com> >> Sent by: m2e-users-boun...@eclipse.org >> To: Maven Integration for Eclipse users mailing list < >> m2e-users@eclipse.org> >> Cc: >> Subject: Re: [m2e-users] Vulnerability problem found in M2E >> Date: Tue, Nov 17, 2015 3:28 PM >> >> Unless you've got the wrong link, the commons vulnerability we've all >> seen is for deserializing objects from untrusted sources. >> >> On 17 November 2015 at 16:24, Victor Adrian Sosa Herrera < >> victo...@mx1.ibm.com> wrote: >> >> Thank you for responding, Matthew. >> >> However, the problem depicted there is that it doesn't matter whether >> you're are serialzing/deserializing objects in runtime, having the JAR in >> the classpath is enough to get this exploitation on the job. Currently, m2e >> seems to be packaging this JAR in org.eclipse.m2e.archetype.common for both >> 1.4 and 1.5. >> >> The good news is that the Apache Commons team shipped yesterday a fix for >> 3.x version. You can grab it from here >> https://commons.apache.org/proper/commons-collections/download_collections.cgi >> >> For 4.x version, they are still working on it AFAIK. >> >> With that being said. Does this sound convincing enough to fix it in m2e? >> Even better, should I open a bugzilla to track this? >> >> Thanks again. >> >> Regards >> >> ------------------------------ >> *Victor Adrian Sosa Herrera* Software Engineer - Rational >> Application Developer 2200 Camino A El Castillo IBM Master Innovator El >> Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: +52-33-3669-7000 >> x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com >> Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog >> <https://www.ibm.com/developerworks/community/blogs/victorsh> >> ------------------------------ >> >> >> >> >> >> ----- Original message ----- >> From: Matthew Piggott <mpigg...@sonatype.com> >> Sent by: m2e-users-boun...@eclipse.org >> To: Maven Integration for Eclipse users mailing list < >> m2e-users@eclipse.org> >> Cc: >> Subject: Re: [m2e-users] Vulnerability problem found in M2E >> Date: Tue, Nov 17, 2015 3:12 PM >> >> It seems unlikely m2e is affected by it. >> >> Its been a while but I don't recall m2e using class serialization >> internally. The bundle suggests the archetypes, I don't know if the maven >> archetypes use object serialization but since they can already result in >> arbitrary code being run on your system (via the generated pom) it doesn't >> seem an attack source. >> >> >> On 17 November 2015 at 16:05, Victor Adrian Sosa Herrera < >> victo...@mx1.ibm.com> wrote: >> >> Hello Community. >> >> Throwing again this question to the table. Will this problem be fixed by >> m2e team? >> >> Thanks >> >> Regards >> >> ------------------------------ >> *Victor Adrian Sosa Herrera* Software Engineer - Rational >> Application Developer 2200 Camino A El Castillo IBM Master Innovator El >> Salto, 45680 Mexico Software Lab Mexico C120 Q2 Phone: +52-33-3669-7000 >> x3344 Mobile: +52-1-33-1529-6494 e-mail: victo...@mx1.ibm.com >> Twitter <https://twitter.com/sosah_victor> DeveloperWorks blog >> <https://www.ibm.com/developerworks/community/blogs/victorsh> >> ------------------------------ >> >> >> >> >> >> ----- Original message ----- >> From: Victor Adrian Sosa Herrera/Mexico/IBM >> To: m2e-users@eclipse.org >> Cc: >> Subject: Vulnerability problem found in M2E >> Date: Mon, Nov 16, 2015 1:39 PM >> >> Hello community. >> >> On the past weeks, a security vulnerability was found in Apache Commons >> Collections library, particularly on versions 3.x and 4.x. You can see >> details here >> >> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ >> >> The fix is on its way and tracked under this JIRA >> https://issues.apache.org/jira/browse/COLLECTIONS-580 >> >> Now, I've been digging this a little bit and found that one M2E plugin is >> bundling this commons-collections.jar archive, at least on Eclipse Luna. >> Doing a quick search in the Eclipse installation I found this >> >> org.eclipse.m2e.archetype.common_1.5.0.20140605-2032/commons-collections-3.2.jar >> >> Do you have any plans to patch this plugin with the updated library (once >> available)? >> >> Regards >> >> ------------------------------ >> *Victor Adrian Sosa Herrera* >> <http://www.ibm.com/webaccessories/emailsig/i/ibm2.gif> Software >> Engineer - Rational Application Developer 2200 Camino A El Castillo IBM >> Master Innovator El Salto, 45680 Mexico Software Lab Mexico C120 Q2 >> Phone: +52-33-3669-7000 x3344 Mobile: +52-1-33-1529-6494 e-mail: >> victo...@mx1.ibm.com Twitter <https://twitter.com/sosah_victor> >> DeveloperWorks >> blog <https://www.ibm.com/developerworks/community/blogs/victorsh> >> ------------------------------ >> >> >> >> >> >> >> _______________________________________________ >> m2e-users mailing list >> m2e-users@eclipse.org >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/m2e-users >> >> _______________________________________________ >> m2e-users mailing list >> m2e-users@eclipse.org >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/m2e-users >> >> >> >> >> _______________________________________________ >> m2e-users mailing list >> m2e-users@eclipse.org >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/m2e-users >> >> _______________________________________________ >> m2e-users mailing list >> m2e-users@eclipse.org >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/m2e-users >> >> >> >> >> _______________________________________________ >> m2e-users mailing list >> m2e-users@eclipse.org >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/m2e-users >> > > > _______________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users > -- "Have you tried turning it off and on again" - The IT Crowd And if that fails, then http://goo.gl/tnBgH5
_______________________________________________ m2e-users mailing list m2e-users@eclipse.org To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
