1 Reply Latest reply on Dec 2, 2015 5:05 PM by Tomaz Cerar

    Jboss community 4.2.3 GA and CVE-2015-7501

    stephen rushing Newbie

      Wanted to check if there was a new community edition of commons-collections.jar for 4.2.3 GA created to resolve the deserialization CVE-2015-7501 issues or if the proposed steps would be to manually modify the existing jar directly removing the InvokerTransformer, InstantiateFactory, and InstantiateTransformer classes from all commons-collections.jar? Thanks in advance,