I don't feel too strongly about this, but maybe the better approach would to get apache devs release fixed archetype version first, then integrate that into m2e?
-- Regards, Igor On Tue, Nov 17, 2015, at 06:03 PM, Fred Bricon wrote: > m2e doesn't deserialize anything from remote connections (doesn't even rely > on commons-collections for deserializing it's local state). The archetype > plugin simply downloads xml and jars, I'm not aware it uses the > deserialization mechanism either. I don't believe, unless proven otherwise, > that m2e is affected by that particular vulnerability. > > With that said, I'm fine updating to a non-vulnerable commons-collections > version (3.2.2). Please open a bug in [1]. > And if you want to provide a patch, have at it [1][2]:-) > > Fred > > [1] https://bugs.eclipse.org/bugs/enter_bug.cgi?product=m2e > [2] > https://www.eclipse.org/m2e/documentation/m2e-development-environment.html#submitting-patches > [3] > http://git.eclipse.org/c/m2e/m2e-core.git/tree/m2e-maven-runtime/org.eclipse.m2e.archetype.common/pom.xml#n28 > > On Tue, Nov 17, 2015 at 5:07 PM, Matthew Piggott <mpigg...@sonatype.com> > wrote: >> Why would an attacker rely on a deserialization bug when *as a matter of >> function* the archetype plugin results in arbitrary code run on your system? >> Its entirely redundant. >> >> Heck, *every maven plugin* is arbitrary code downloaded & executed. >> >> On 17 November 2015 at 16:49, Victor Adrian Sosa Herrera >> <victo...@mx1.ibm.com> wrote: >>> Perhaps I didn't make myself clear. >>> >>> Yes, the problem is related on serialization of objects from untrusted >>> sources. My understanding is that when you pull/create an archetype, >>> there's some sort of serialization of such archetype, please correct me if >>> wrong because this is a gray area to me. >>> >>> What I meant is that it doesn't matter whether you serialize or not using >>> the commons-collections library, as long as you have it loaded in the >>> classpath. >>> >>> If that's the case, then m2e is vulnerable. Can someone confirm my >>> assumption, please? >>> >>> Thanks a lot >>> Regards >>> >>> >>> *Victor Adrian Sosa Herrera* >>> >>> >>> Software Engineer - Rational Application Developer >>> 2200 Camino A El Castillo >>> IBM Master Innovator >>> El Salto, 45680 >>> Mexico Software Lab >>> Mexico >>> C120 >>> >>> Q2 >>> >>> Phone: >>> +52-33-3669-7000 x3344[1] >>> >>> Mobile: >>> +52-1-33-1529-6494[2] >>> >>> e-mail: >>> victo...@mx1.ibm.com >>> >>> Twitter[3] >>> >>> DeveloperWorks blog[4] >>> >>> >>> >>> >>> >>> >>> >>> >>>> ----- Original message ----- >>>> From: Matthew Piggott <mpigg...@sonatype.com> >>>> Sent by: m2e-users-boun...@eclipse.org >>>> To: Maven Integration for Eclipse users mailing list >>>> <m2e-users@eclipse.org> >>>> Cc: >>>> Subject: Re: [m2e-users] Vulnerability problem found in M2E >>>> Date: Tue, Nov 17, 2015 3:28 PM >>>> Unless you've got the wrong link, the commons vulnerability we've all seen >>>> is for deserializing objects from untrusted sources. >>>> >>>> On 17 November 2015 at 16:24, Victor Adrian Sosa Herrera >>>> <victo...@mx1.ibm.com> wrote: >>>> >>>>> >>>>> Thank you for responding, Matthew. >>>>> >>>>> However, the problem depicted there is that it doesn't matter whether >>>>> you're are serialzing/deserializing objects in runtime, having the JAR in >>>>> the classpath is enough to get this exploitation on the job. Currently, >>>>> m2e seems to be packaging this JAR in org.eclipse.m2e.archetype.common >>>>> for both 1.4 and 1.5. >>>>> >>>>> The good news is that the Apache Commons team shipped yesterday a fix for >>>>> 3.x version. You can grab it from here >>>>> https://commons.apache.org/proper/commons-collections/download_collections.cgi >>>>> >>>>> For 4.x version, they are still working on it AFAIK. >>>>> >>>>> With that being said. Does this sound convincing enough to fix it in m2e? >>>>> Even better, should I open a bugzilla to track this? >>>>> >>>>> Thanks again. >>>>> >>>>> >>>>> Regards >>>>> >>>>> >>>>> >>>>> *Victor Adrian Sosa Herrera* >>>>> >>>>> >>>>> Software Engineer - Rational Application Developer >>>>> 2200 Camino A El Castillo >>>>> IBM Master Innovator >>>>> El Salto, 45680 >>>>> Mexico Software Lab >>>>> Mexico >>>>> C120 >>>>> >>>>> Q2 >>>>> >>>>> Phone: >>>>> +52-33-3669-7000 x3344[5] >>>>> >>>>> Mobile: >>>>> +52-1-33-1529-6494[6] >>>>> >>>>> e-mail: >>>>> victo...@mx1.ibm.com >>>>> >>>>> Twitter[7] >>>>> >>>>> DeveloperWorks blog[8] >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> ----- Original message ----- >>>>>> From: Matthew Piggott <mpigg...@sonatype.com> >>>>>> Sent by: m2e-users-boun...@eclipse.org >>>>>> To: Maven Integration for Eclipse users mailing list >>>>>> <m2e-users@eclipse.org> >>>>>> Cc: >>>>>> Subject: Re: [m2e-users] Vulnerability problem found in M2E >>>>>> Date: Tue, Nov 17, 2015 3:12 PM >>>>>> It seems unlikely m2e is affected by it. >>>>>> >>>>>> Its been a while but I don't recall m2e using class serialization >>>>>> internally. The bundle suggests the archetypes, I don't know if the >>>>>> maven archetypes use object serialization but since they can already >>>>>> result in arbitrary code being run on your system (via the generated >>>>>> pom) it doesn't seem an attack source. >>>>>> >>>>>> On 17 November 2015 at 16:05, Victor Adrian Sosa Herrera >>>>>> <victo...@mx1.ibm.com> wrote: >>>>>>> Hello Community. >>>>>>> >>>>>>> Throwing again this question to the table. Will this problem be fixed >>>>>>> by m2e team? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Victor Adrian Sosa Herrera* >>>>>>> >>>>>>> >>>>>>> Software Engineer - Rational Application Developer >>>>>>> 2200 Camino A El Castillo >>>>>>> IBM Master Innovator >>>>>>> El Salto, 45680 >>>>>>> Mexico Software Lab >>>>>>> Mexico >>>>>>> C120 >>>>>>> >>>>>>> Q2 >>>>>>> >>>>>>> Phone: >>>>>>> +52-33-3669-7000 x3344[9] >>>>>>> >>>>>>> Mobile: >>>>>>> +52-1-33-1529-6494[10] >>>>>>> >>>>>>> e-mail: >>>>>>> victo...@mx1.ibm.com >>>>>>> >>>>>>> Twitter[11] >>>>>>> >>>>>>> DeveloperWorks blog[12] >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> ----- Original message ----- >>>>>>>> From: Victor Adrian Sosa Herrera/Mexico/IBM >>>>>>>> To: m2e-users@eclipse.org >>>>>>>> Cc: >>>>>>>> Subject: Vulnerability problem found in M2E >>>>>>>> Date: Mon, Nov 16, 2015 1:39 PM >>>>>>>> Hello community. >>>>>>>> >>>>>>>> On the past weeks, a security vulnerability was found in Apache >>>>>>>> Commons Collections library, particularly on versions 3.x and 4.x. You >>>>>>>> can see details here >>>>>>>> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ >>>>>>>> >>>>>>>> The fix is on its way and tracked under this JIRA >>>>>>>> https://issues.apache.org/jira/browse/COLLECTIONS-580 >>>>>>>> >>>>>>>> Now, I've been digging this a little bit and found that one M2E plugin >>>>>>>> is bundling this commons-collections.jar archive, at least on Eclipse >>>>>>>> Luna. Doing a quick search in the Eclipse installation I found this >>>>>>>> org.eclipse.m2e.archetype.common_1.5.0.20140605-2032/commons-collections-3.2.jar >>>>>>>> >>>>>>>> Do you have any plans to patch this plugin with the updated library >>>>>>>> (once available)? >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> >>>>>>>> *Victor Adrian Sosa Herrera* >>>>>>>> >>>>>>>> >>>>>>>> Software Engineer - Rational Application Developer >>>>>>>> 2200 Camino A El Castillo >>>>>>>> IBM Master Innovator >>>>>>>> El Salto, 45680 >>>>>>>> Mexico Software Lab >>>>>>>> Mexico >>>>>>>> C120 >>>>>>>> >>>>>>>> Q2 >>>>>>>> >>>>>>>> Phone: >>>>>>>> +52-33-3669-7000 x3344[13] >>>>>>>> >>>>>>>> Mobile: >>>>>>>> +52-1-33-1529-6494[14] >>>>>>>> >>>>>>>> e-mail: >>>>>>>> victo...@mx1.ibm.com >>>>>>>> >>>>>>>> Twitter[15] >>>>>>>> >>>>>>>> DeveloperWorks blog[16] >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> m2e-users mailing list >>>>>>> m2e-users@eclipse.org >>>>>>> To change your delivery options, retrieve your password, or unsubscribe >>>>>>> from this list, visit >>>>>>> https://dev.eclipse.org/mailman/listinfo/m2e-users >>>>>> _______________________________________________ >>>>>> m2e-users mailing list >>>>>> m2e-users@eclipse.org >>>>>> To change your delivery options, retrieve your password, or unsubscribe >>>>>> from this list, visit >>>>>> https://dev.eclipse.org/mailman/listinfo/m2e-users >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> m2e-users mailing list >>>>> m2e-users@eclipse.org >>>>> To change your delivery options, retrieve your password, or unsubscribe >>>>> from this list, visit >>>>> https://dev.eclipse.org/mailman/listinfo/m2e-users >>>> _______________________________________________ >>>> m2e-users mailing list >>>> m2e-users@eclipse.org >>>> To change your delivery options, retrieve your password, or unsubscribe >>>> from this list, visit >>>> https://dev.eclipse.org/mailman/listinfo/m2e-users >>> >>> >>> >>> _______________________________________________ >>> m2e-users mailing list >>> m2e-users@eclipse.org >>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/m2e-users >> >> >> _______________________________________________ >> m2e-users mailing list >> m2e-users@eclipse.org >> To change your delivery options, retrieve your password, or unsubscribe from this list, visit >> https://dev.eclipse.org/mailman/listinfo/m2e-users > > > > -- > "Have you tried turning it off and on again" - The IT Crowd > And if that fails, then http://goo.gl/tnBgH5 > _________________________________________________ > m2e-users mailing list > m2e-users@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe from > this list, visit > https://dev.eclipse.org/mailman/listinfo/m2e-users Links: 1. tel:%2B52-33-3669-7000%20x3344 2. tel:%2B52-1-33-1529-6494 3. https://twitter.com/sosah_victor 4. https://www.ibm.com/developerworks/community/blogs/victorsh 5. tel:%2B52-33-3669-7000%20x3344 6. tel:%2B52-1-33-1529-6494 7. https://twitter.com/sosah_victor 8. https://www.ibm.com/developerworks/community/blogs/victorsh 9. tel:%2B52-33-3669-7000%20x3344 10. tel:%2B52-1-33-1529-6494 11. https://twitter.com/sosah_victor 12. https://www.ibm.com/developerworks/community/blogs/victorsh 13. tel:%2B52-33-3669-7000%20x3344 14. tel:%2B52-1-33-1529-6494 15. https://twitter.com/sosah_victor 16. https://www.ibm.com/developerworks/community/blogs/victorsh
_______________________________________________ m2e-users mailing list m2e-users@eclipse.org To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/m2e-users
