Add security report.

git-svn-id: https://svn.apache.org/repos/asf/commons/proper/collections/trunk@1715489 13f79535-47bb-0310-9956-ffa450edef68
2015-11-21 09:51:39 +00:00 · 2015-11-21 09:51:39 +00:00 · c64fb87ebe
parent 313babb6e2
commit c64fb87ebe
2 changed files with 120 additions and 8 deletions
--- a/src/site/site.xml
+++ b/src/site/site.xml
@ -24,15 +24,16 @@

    <body>
        <menu name="Collections">
-            <item name="Overview"      href="/index.html"/>
-            <item name="Download"      href="/download_collections.cgi"/>
-            <item name="Users guide"   href="/userguide.html"/>
-            <item name="History"       href="/history.html"/>
-            <item name="Release Notes v4.0" href="/release_4_0.html"/>
+            <item name="Overview"             href="/index.html"/>
+            <item name="Download"             href="/download_collections.cgi"/>
+            <item name="Security Reports"     href="/security-reports.html"/>
+            <item name="Users guide"          href="/userguide.html"/>
+            <item name="History"              href="/history.html"/>
+            <item name="Release Notes v4.0"   href="/release_4_0.html"/>
            <item name="Release Notes v3.2.2" href="/release_3_2_2.html"/>
-            <item name="Javadoc v4.1"       href="/javadocs/api-release/index.html"/>
-            <item name="Javadoc v4.0"       href="/javadocs/api-4.0/index.html"/>
-            <item name="Javadoc v3.2.2"     href="/javadocs/api-3.2.2/index.html"/>
+            <item name="Javadoc v4.1"         href="/javadocs/api-release/index.html"/>
+            <item name="Javadoc v4.0"         href="/javadocs/api-4.0/index.html"/>
+            <item name="Javadoc v3.2.2"       href="/javadocs/api-3.2.2/index.html"/>
        </menu>

        <menu name="Development">
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@ -0,0 +1,111 @@
+<?xml version="1.0"?>
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Commons Collections Security Reports</title>
+        <author email="dev@commons.apache.org">Commons Documentation Team</author>
+    </properties>
+    <body>
+      <section name="General Information">
+        <p>For information about reporting or asking questions about
+        security problems, please see the <a
+        href="http://commons.apache.org/security.html">security page
+        of the Commons project</a>.</p>
+      </section>
+
+      <section name="Apache Commons Collections Security Vulnerabilities">
+        <p>This page lists all security vulnerabilities fixed in
+        released versions of Apache Commons Collections. Each
+        vulnerability is given a security impact rating by the
+        development team - please note that this rating may vary from
+        platform to platform. We also list the versions of Commons
+        Collections the flaw is known to affect, and where a flaw has not
+        been verified list the version with a question mark.</p>
+
+        <p>Please note that binary patches are never provided. If you
+        need to apply a source code patch, use the building
+        instructions for the Commons Collections version that you are
+        using.</p>
+
+        <p>If you need help on building Commons Collections or other help
+        on following the instructions to mitigate the known
+        vulnerabilities listed here, please send your questions to the
+        public <a href="mail-lists.html">Collections Users mailing
+        list</a>.</p>
+
+        <p>If you have encountered an unlisted security vulnerability
+        or other unexpected behaviour that has security impact, or if
+        the descriptions here are incomplete, please report them
+        privately to the Apache Security Team. Thank you.</p>
+
+        <subsection name="Fixed in Apache Commons Collections 3.2.2/4.1">
+          <p><b>High: Remote Code Execution during object de-serialization</b></p>
+          
+          <p>The Apache Commons Collections library contains various classes
+          in the "functor" package which are serializable and use reflection.
+          This can be exploited for remote code execution attacks by injecting
+          specially crafted objects to applications that de-serialize
+          java objects from untrusted sources and have the Apache Commons Collections
+          library in their classpath and do not perform any kind of input
+          validation.</p>
+
+          <p>The implemented fix can be tracked via its related issue  
+          <a href="https://issues.apache.org/jira/browse/COLLECTIONS-580">COLLECTIONS-580</a>:</p>
+          
+          <ul>
+            <li><b>3.2.2</b>: de-serialization of unsafe classes in the functor package
+                will trigger an "UnsupportedOperationException" by default. In order to re-enable
+                the previous behavior, the system property
+                "org.apache.commons.collections.enableUnsafeSerialization" has to be set to "true".</li>
+            <li><b>4.1</b>: de-serialization support for unsafe classes in the functor package
+                has been completely removed (unsafe classes do not implement Serializable anymore).</li>
+          </ul>
+
+          <p>The potential exploit was first presented at AppSecCali2015 [3] on 28 January 2015 by
+          Gabriel Lawrence and Chris Frohoff. Based on these exploits, Stephen Breen published
+          on 06 November 2015 attack scenarios [4] for various products like WebSphere, JBoss, Jenkins,
+          WebLogic, and OpenNMS. The Security team was <b>not</b> informed about these security
+          problems prior to their publication. No CVE id was assigned for the Apache Commons
+          Collections library, please refer to [1] or [2] for more information about the general
+          problem with Java serialization.</p>
+          
+          <p>Affects: 3.0 - 4.0</p>
+          
+          <p>Related links:</p>
+          
+          <ol>
+            <li>Vulnerability Report for Oracle Weblogic Server:
+                <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852">CVE-2015-4852</a></li>
+            <li>Apache Commons
+                <a href="https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread">statement</a>
+                to widespread Java object de-serialisation vulnerability</li>
+            <li><a href="http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles">
+                Presentation</a> @ AppSecCali2015 by Lawrence and Frohoff</li>
+            <li><a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability">Attack scenarios</a>
+                for various products by Stephen Breen</li>
+          </ol>
+
+        </subsection>
+      </section>
+
+      <section name="Errors and Ommissions">
+        <p>Please report any errors or omissions to <a
+        href="mail-lists.html">the dev mailing list</a>.</p>
+      </section>
+    </body>
+</document>