Foros de discusión

Apache Commons update in 6.2 GA5?

Chris Dailey, modificado hace 8 años.

Apache Commons update in 6.2 GA5?

Junior Member Mensajes: 30 Fecha de incorporación: 24/11/14 Mensajes recientes
Will the uses of apache commons be updated in Liferay 6.2 GA5 to commons-collections-3.2.2.jar?

For those not familiar with the issue, there is a problem with deserializing streams sent to web servers that affects applications running in most any web container. See this page for details. The problem exists in all versions up to commons-collections-3.2.1.jar, and is fixed in the latest commons-collections-3.2.2.jar. It appears to exist in ROOT, kaleo-web, opensocial-portlet, and probably other portlets created using the SDK.

Thanks!
thumbnail
Bijan Vakili, modificado hace 8 años.

RE: Apache Commons update in 6.2 GA5?

Expert Mensajes: 375 Fecha de incorporación: 10/03/09 Mensajes recientes
Looking at tagged commit, I don't think so:
https://github.com/liferay/liferay-portal/blob/6.2.4-ga5/lib/versions.html#L720

Best chance is for a manual update (I haven't considered implications;) or to create ticket for next version; currently Liferay 7 Alpha 3; but there is room for such upgrades here:
https://github.com/liferay/liferay-portal/blob/7.0.x/lib/versions.html#L784

https://issues.liferay.com/secure/Dashboard.jspa

Thanks for socializing this; I'll read more.

Update: Liferay Community Security Team
I'll follow these guides to report issue; and link back to this forum thread as well.
https://dev.liferay.com/web/community-security-team/process
Update: I've reported issue to Liferay now.


Chris,
Have you found how this impacts Liferay?
I am not sure how this impacts Liferay; as I don't think it does the following: accept serialized user input. If it did that, it'd be vulnerable; but I've never seen Liferay do such thing; and I've been reading it for a while now; nevertheless, perhaps you may noticed.
Chris Dailey, modificado hace 8 años.

RE: Apache Commons update in 6.2 GA5?

Junior Member Mensajes: 30 Fecha de incorporación: 24/11/14 Mensajes recientes
Bijan Vakili:
Update: I've reported issue to Liferay now.

Chris,
Have you found how this impacts Liferay?
I am not sure how this impacts Liferay; as I don't think it does the following: accept serialized user input. If it did that, it'd be vulnerable; but I've never seen Liferay do such thing; and I've been reading it for a while now; nevertheless, perhaps you may noticed.


Thanks for reporting this, Bijan!

I can't be sure exactly how Liferay is affected as I haven't tried a proof-of-concept, but from the descriptions of the problem I would guess that it would be pretty likely to be hackable. Doing a quick search, it looks like all of the main Liferay apps (ROOT, kaleo-web, opensocial-portlet) use the jar file, and my JSF portlet that uses the Liferay SDK through Eclipse includes that JAR file.

As the article says, this affects pretty much every application server, since serialization is an integral part of so much of the Java web infrastructure in one way or another. I don't know enough to know whether an exploit would require help from an application, or if just those jars being in the classpath for some portion of the application is enough. The article says it could be triggered "In HTTP requests – Parameters, ViewState, Cookies, you name it" "RMI" "RMI over HTTP" "JMX" and "Custom Protocols" - it's anything that could convince/trick the web server to deserialize a malicious serialized object stream. That sounds to me like a lot of surface area. I use JSF portlets, which I know uses ViewState, so at least my application will probably be vulnerable.

Upgrading to commons-collections-3.2.2.jar from 3.2.1 should be pretty safe for the Liferay product. I'd really hope they would update the JAR in both 6.2.x and in 7.0.x branches.
thumbnail
Andrew Jardine, modificado hace 8 años.

RE: Apache Commons update in 6.2 GA5?

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
Hi Chris,

I think, as you say, to fix the out of the box stuff you'll have to wait for Liferay -- or clone the plugin from their repo and make the change yourself. But, for anyting custom that you write, you don't have to use the libraries bundled with the portal. You can always add you own libraries to your project -- or better yet, switch to using maven and just manage it through the dependencies. Like you, I do try to stick to what the portal ships with (apples to apples and all that) but I have had many occasions where I simply had to include my own for one reason or another.
thumbnail
Bijan Vakili, modificado hace 8 años.

RE: Apache Commons update in 6.2 GA5?

Expert Mensajes: 375 Fecha de incorporación: 10/03/09 Mensajes recientes
I think this would have been found a while back; if this really affected the product; since it's gone through lab audits (DOD.) Serialization is used throughout; though not in ways that would compromise it; for example its used replicate cache; it is not used to get user input; as vulnerability requires; Liferay validates each field on it's own.



Perhaps I have misunderstood the point. If App server's vulnerable, then yes; it won't matter what Liferay logic does; I guess it could be vulnerable then.
I think a proof-of-concept would help much; similar to the "heartbleeed" bug last year.



But then again the bug requires this: something on app server to take input; that could be sent to it serialized; the Tomcat bundle for Liferay's most used; and Liferay takes out Tomcat's manager; so the app server's not vulnerable; so I don't think applies to this bundle; as author said Weblogic's affected; thought I haven't looked into that right now; since last project we used that was long back; and I haven't seen it used much nowdays.


"RMI over HTTP" "JMX"

I think as best practice these not public; that is no way to reach them from outside; so definitely something to watch out; though I'd say that's part of bigger issue.



I use JSF portlets, which I know uses ViewState, so at least my application will probably be vulnerable.

That's good to know; makes perfect sense you said.
Again thanks a lot for bringing this up.
Chris Dailey, modificado hace 8 años.

RE: Apache Commons update in 6.2 GA5?

Junior Member Mensajes: 30 Fecha de incorporación: 24/11/14 Mensajes recientes
I think this would have been found a while back; if this really affected the product; since it's gone through lab audits (DOD.) Serialization is used throughout; though not in ways that would compromise it; for example its used replicate cache; it is not used to get user input; as vulnerability requires; Liferay validates each field on it's own.

I was unaware such an effort had been taken with Liferay, that is indeed a good thing. It may be the case that Liferay provides no vectors that would deserialize. I would suspect (but guarantee) any JSF portlet created with the Liferay Faces SDK would be vulnerable. I could not say whether any other part of Liferay would be vulnerable. But the consequences would be potentially severe, and it only awaits a vector to be found.

Regardless, I hope we can agree that it would be very prudent for the Liferay distribution and SDK to update the commons-collections JAR, which should be extremely easy to do with extremely low risk of causing any additional problems.
thumbnail
Bijan Vakili, modificado hace 8 años.

RE: Apache Commons update in 6.2 GA5?

Expert Mensajes: 375 Fecha de incorporación: 10/03/09 Mensajes recientes
Agreed; upgrading or patching options.
thumbnail
Samuel Kong, modificado hace 8 años.

RE: Apache Commons update in 6.2 GA5?

Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Liferay is working on a solution to this problem. See https://dev.liferay.com/web/community-security-team/forum/-/message_boards/message/648183 for more details.
mayur Oswal, modificado hace 6 años.

RE: Apache Commons update in 6.2 GA5?

New Member Mensajes: 8 Fecha de incorporación: 10/05/17 Mensajes recientes
Did we find the solution to this problem.
I want to update commons-collection-3.2.1.jar to commons-collections-3.2.2.jar in liferay-6.1.2
thumbnail
Olaf Kock, modificado hace 6 años.

RE: Apache Commons update in 6.2 GA5?

Liferay Legend Mensajes: 6396 Fecha de incorporación: 23/09/08 Mensajes recientes
mayur Oswal:
Did we find the solution to this problem.
I want to update commons-collection-3.2.1.jar to commons-collections-3.2.2.jar in liferay-6.1.2


6.1.2 is "out of service" since 2013. With that, commons-collection is most likely not your only problem and the solution is to stay current: Instead of upgrading commons-collection in 6.1.2, rather upgrade your Liferay installation to version 7.