Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [m2e-users] Vulnerability problem found in M2E
I don't feel too strongly about this, but maybe the better approach would to get apache devs release fixed archetype version first, then integrate that into m2e?
 
--
Regards,
Igor
 
 
On Tue, Nov 17, 2015, at 06:03 PM, Fred Bricon wrote:
m2e doesn't deserialize anything from remote connections (doesn't even rely on commons-collections for deserializing it's local state). The archetype plugin simply downloads xml and jars, I'm not aware it uses the deserialization mechanism either. I don't believe, unless proven otherwise, that m2e is affected by that particular vulnerability.
 
With that said, I'm fine updating to a non-vulnerable commons-collections version (3.2.2). Please open a bug in [1].
And if you want to provide a patch, have at it [1][2]:-)
 
Fred 
 
 
On Tue, Nov 17, 2015 at 5:07 PM, Matthew Piggott <mpiggott@xxxxxxxxxxxx> wrote:
Why would an attacker rely on a deserialization bug when as a matter of function the archetype plugin results in arbitrary code run on your system?  Its entirely redundant.
 
Heck, every maven plugin is arbitrary code downloaded & executed.
 
On 17 November 2015 at 16:49, Victor Adrian Sosa Herrera <victorsh@xxxxxxxxxxx> wrote:
Perhaps I didn't make myself clear.
 
Yes, the problem is related on serialization of objects from untrusted sources. My understanding is that when you pull/create an archetype, there's some sort of serialization of such archetype, please correct me if wrong because this is a gray area to me.
 
What I meant is that it doesn't matter whether you serialize or not using the commons-collections library, as long as you have it loaded in the classpath.
 
If that's the case, then m2e is vulnerable. Can someone confirm my assumption, please?
 
Thanks a lot
Regards


Victor Adrian Sosa Herrera


Software Engineer - Rational Application Developer
 2200 Camino A El Castillo
IBM Master Innovator
 El Salto, 45680
Mexico Software Lab
 Mexico
C120

Q2

Phone:
+52-33-3669-7000 x3344

Mobile:
+52-1-33-1529-6494

e-mail:
victorsh@xxxxxxxxxxx

Twitter

DeveloperWorks blog





 
 
 
----- Original message -----
From: Matthew Piggott <mpiggott@xxxxxxxxxxxx>
To: Maven Integration for Eclipse users mailing list <m2e-users@xxxxxxxxxxx>
Cc:
Subject: Re: [m2e-users] Vulnerability problem found in M2E
Date: Tue, Nov 17, 2015 3:28 PM
Unless you've got the wrong link, the commons vulnerability we've all seen is for deserializing objects from untrusted sources.
On 17 November 2015 at 16:24, Victor Adrian Sosa Herrera <victorsh@xxxxxxxxxxx> wrote:
 
Thank you for responding, Matthew.
 
However, the problem depicted there is that it doesn't matter whether you're are serialzing/deserializing objects in runtime, having the JAR in the classpath is enough to get this exploitation on the job. Currently, m2e seems to be packaging this JAR in org.eclipse.m2e.archetype.common for both 1.4 and 1.5.
 
The good news is that the Apache Commons team shipped yesterday a fix for 3.x version. You can grab it from here https://commons.apache.org/proper/commons-collections/download_collections.cgi
 
For 4.x version, they are still working on it AFAIK.
 
With that being said. Does this sound convincing enough to fix it in m2e? Even better, should I open a bugzilla to track this?
 
Thanks again.
 
 
Regards
 


Victor Adrian Sosa Herrera


Software Engineer - Rational Application Developer
 2200 Camino A El Castillo
IBM Master Innovator
 El Salto, 45680
Mexico Software Lab
 Mexico
C120

Q2

Phone:
+52-33-3669-7000 x3344

Mobile:
+52-1-33-1529-6494

e-mail:
victorsh@xxxxxxxxxxx

Twitter

DeveloperWorks blog





 
 
 
----- Original message -----
From: Matthew Piggott <mpiggott@xxxxxxxxxxxx>
Sent by: m2e-users-bounces@xxxxxxxxxxx
To: Maven Integration for Eclipse users mailing list <m2e-users@xxxxxxxxxxx>
Cc:
Subject: Re: [m2e-users] Vulnerability problem found in M2E
Date: Tue, Nov 17, 2015 3:12 PM
It seems unlikely m2e is affected by it. 

Its been a while but I don't recall m2e using class serialization internally.  The bundle suggests the archetypes, I don't know if the maven archetypes use object serialization but since they can already result in arbitrary code being run on your system (via the generated pom) it doesn't seem an attack source.
 
On 17 November 2015 at 16:05, Victor Adrian Sosa Herrera <victorsh@xxxxxxxxxxx> wrote:
Hello Community.
 
Throwing again this question to the table. Will this problem be fixed by m2e team?
 
Thanks
 
Regards
 


Victor Adrian Sosa Herrera


Software Engineer - Rational Application Developer
 2200 Camino A El Castillo
IBM Master Innovator
 El Salto, 45680
Mexico Software Lab
 Mexico
C120

Q2

Phone:
+52-33-3669-7000 x3344

Mobile:
+52-1-33-1529-6494

e-mail:
victorsh@xxxxxxxxxxx

Twitter

DeveloperWorks blog





 
 
 
----- Original message -----
From: Victor Adrian Sosa Herrera/Mexico/IBM
Cc:
Subject: Vulnerability problem found in M2E
Date: Mon, Nov 16, 2015 1:39 PM
Hello community.
 
On the past weeks, a security vulnerability was found in Apache Commons Collections library, particularly on versions 3.x and 4.x. You can see details here
 
The fix is on its way and tracked under this JIRA
 
Now, I've been digging this a little bit and found that one M2E plugin is bundling this commons-collections.jar archive, at least on Eclipse Luna. Doing a quick search in the Eclipse installation I found this
org.eclipse.m2e.archetype.common_1.5.0.20140605-2032/commons-collections-3.2.jar
 
Do you have any plans to patch this plugin with the updated library (once available)?
 
Regards


Victor Adrian Sosa Herrera


Software Engineer - Rational Application Developer
 2200 Camino A El Castillo
IBM Master Innovator
 El Salto, 45680
Mexico Software Lab
 Mexico
C120

Q2

Phone:
+52-33-3669-7000 x3344

Mobile:
+52-1-33-1529-6494

e-mail:
victorsh@xxxxxxxxxxx

Twitter

DeveloperWorks blog





 
 
 
 
_______________________________________________
m2e-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
_______________________________________________
m2e-users mailing list
m2e-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/m2e-users
 
 
 
_______________________________________________
m2e-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
_______________________________________________
m2e-users mailing list
m2e-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/m2e-users
 
 
 
_______________________________________________
m2e-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
 
 
_______________________________________________
m2e-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
 
 
 
--
"Have you tried turning it off and on again" - The IT Crowd
And if that fails, then http://goo.gl/tnBgH5
_______________________________________________
m2e-users mailing list
m2e-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/m2e-users
 

Back to the top