SpringFramework是否使用来自commons.collections的InvokerTransformer? [英] Does SpringFramework use InvokerTransformer from commons.collections?

问题描述

昨天宣布了有关反序列化漏洞(CVE-2015-4852):

https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

SpringFramework使用commons.collections.

如果SpringFramework使用InvokerTransformer，则可能容易受到反序列化漏洞(CVE-2015-4852)的攻击.<​​/p>

SpringFramework是否使用commons.collections中的InvokerTransformer?

解决方案

3.更新:这是JürgenHöller对我的 吉拉问题 :

Spring框架不以任何方式使用Commons Collections.如果你 将其放在您的类路径中，它可能只是在另一个依赖项之后 您选择的名称，例如OpenJPA.

也就是说，我们在SPR-13656中确实遇到了一个相关问题 修复我们的类，以防止在这种情况下被滥用. 请注意，这仅在公开基于序列化的情况时才重要 端点到不受信任的客户.春天没有做任何这样的曝光 默认情况下;而是您的应用程序已明确 选择使用HTTP Invoker或RMI Invoker.

Juergen

---

2.更新:Spring Framework版本4.2.3和4.1.9 不会受到攻击相关问题.

---

我搜索了 spring-framework 项目，但没有发现<到目前为止. 这并不意味着某些Spring子项目会使用InvokerTransformer.

在 jira.spring.io 上进行的快速搜索目前没有发现任何问题:

https://jira.spring.io/issues/?jql = text％20〜％20％22invoketransformer％22

https://jira. spring.io/issues/?jql=text%20~%20%22CVE-2015-4852%22

也许关键官员可以澄清这一点.

更新:我提交了 吉拉问题 .

Yesterday announced about de-serialisation vulnerability (CVE-2015-4852):

https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

SpringFramework uses commons.collections.

If SpringFramework use InvokerTransformer it can be vulnerable for the de-serialisation vulnerability (CVE-2015-4852).

The question does SpringFramework use InvokerTransformer from commons.collections?

解决方案

3. Update: That is Jürgen Höller's answer to my Jira issues:

Spring Framework does not use Commons Collections in any way. If you have it on your classpath, it might just be behind another dependency that you chose, such as OpenJPA.

That said, we do have a related issue in SPR-13656 where we've been fixing a class of ours in order to prevent misuse in such scenarios. Note that this only matters if you are exposing serialization-based endpoints to untrusted clients. Spring does not do any such exposure by default; it's rather something that your application is explicitly opting into through the use of HTTP Invoker or RMI Invoker.

Juergen

---

2. Update: Spring Framework Version 4.2.3 and 4.1.9 aren't vulnerable to a related issue.

---

I searched the spring-framework project and didn't find any use of org.apache.commons.collections.(Transformer|InvokerTransformer|MapTransformer) so far. This doesn't mean that some Spring subprojects make use of InvokerTransformer.

A quick search on jira.spring.io doesn't revealed any issues right now:

https://jira.spring.io/issues/?jql=text%20~%20%22invoketransformer%22

https://jira.spring.io/issues/?jql=text%20~%20%22CVE-2015-4852%22

Maybe a Pivotal official can clarify this.

Update: I filed a Jira issues.

这篇关于SpringFramework是否使用来自commons.collections的InvokerTransformer?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！