Re: Re: Assign CVE for common-collections remote code execution on deserialisation flaw

[Gsunde Orangen <gsunde.orangen () gmail com>]

+1
Note that Daniel from Jenkins requested a CVE ID, too (for the Jenkins
Fix [1]. I propose to use the same ID here.
This is btw. the only critical bug (SECURITY-218) without a CVE-ID
included in latest Jenkins release [2].
(...and: kudos to the Jenkins team for acting so quickly and
professional; great work ;-)

Gsunde


[1] http://seclists.org/oss-sec/2015/q4/241
[2]
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

On 2015-11-13 on 05:50 Jason Shepherd wrote:
> I think a precedent has been set with the Groovy issue [1] that we'd issue a CVE for the libraries that allow us to 
> execute code during deserialization of their classes.
>
> [1] CVE-2015-3253 
>
> As Gsunde points out, it would make it a lot easier for everyone to refer to this issue if it had a CVE.
>
> ----- Original Message -----
> From: "Jason Shepherd" <jshepher () redhat com>
> To: oss-security () lists openwall com
> Sent: Monday, 9 November, 2015 10:36:20 AM
> Subject: Assign CVE for common-collections remote code execution on deserialisation flaw
>
> Hello oss-esc,
>
> It was found that a flaw in Apache commons-collections Java library allowed remote code execution when Deserialised 
> with Java Object Serialization. Full details of the vulnerability can be found in this recent blog post, [1]. A 
> proposed patch for 3.2.x branch has been submitted upstream, but no release has been made with the fix at the current 
> time. The issue affects version 3.x, and 4.x of Apache common-collections, [2].
>
>    [1] 
> http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
>    [2] https://issues.apache.org/jira/browse/COLLECTIONS-580
>
> Regards,
> Jason Shepherd
> Red Hat Product Security