Jboss community 4.2.3 GA and CVE-2015-7501

stevernc75 Dec 2, 2015 12:36 PM

Wanted to check if there was a new community edition of commons-collections.jar for 4.2.3 GA created to resolve the deserialization CVE-2015-7501 issues or if the proposed steps would be to manually modify the existing jar directly removing the InvokerTransformer, InstantiateFactory, and InstantiateTransformer classes from all commons-collections.jar? Thanks in advance,

1. Re: Jboss community 4.2.3 GA and CVE-2015-7501

ctomc Dec 2, 2015 5:05 PM (in response to stevernc75)

https://access.redhat.com/solutions/2045023
Actions