james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tellier Benoit (JIRA)" <server-...@james.apache.org>
Subject [jira] [Created] (JAMES-2198) Fix CVE-2017-12628: Upgrade commons-collection
Date Fri, 20 Oct 2017 08:16:00 GMT
Tellier Benoit created JAMES-2198:
-------------------------------------

             Summary: Fix CVE-2017-12628: Upgrade commons-collection
                 Key: JAMES-2198
                 URL: https://issues.apache.org/jira/browse/JAMES-2198
             Project: James Server
          Issue Type: Improvement
          Components: James Core, JMX
    Affects Versions: master
            Reporter: Tellier Benoit
             Fix For: master


It fixes vulnerability described in CVE-2017-12628. The JMX server, also
used by the command line client is exposed to a java de-serialization
issue, and thus can be used to execute arbitrary commands. As James
exposes JMX socket by default only on local-host, this vulnerability can
only be used for privilege escalation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message