Question
TD Bank Financial Group
CA
Last activity: 4 Oct 2018 11:08 EDT
Does Pega use the apache commons java library for serialization
In light of the Apache Commons vulnerability CVE-2015-4852 I am wondering if Pega makes use of this java library. We are looking at two methods to remediate this vulnerability based on whether Apache Commons java library is used within Pega (6.1 SP2).
Can anyone advise?
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
-
Like (0)
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Pegasystems
IN
Copying our security team SpyVsSpy . From what I have read, there seems to be no patch available
As of today (12th Nov 2015) this vulnerability Apache Commons Collections Component remains un-patched by the Apache Foundation. - See more at: http://www.waratek.com/blog/waratek-resolution-of-apache-commons-collections-component/#sthash.2EieKhhC.dpuf
TD Bank Financial Group
CA
Hi Rajiv, from what I am told, there are two approaches will limit the attack surface; Contrast-RO0 or Notsoserial, both open source java agents that can be deployed.
TD Bank Financial Group
CA
Hi Rajiv, any word from the Security Team regarding this?
Pegasystems Inc.
US
Mark,
Sorry for the delay. 6.1 SP2 contains version 2.1 of commons-collections.jar. There is no direct use of the functionality associated with CVE that I could find.
Matt
Pegasystems Inc.
US
I am looking into the issue at the moment as BUG-223630 in PMF. In the current versions of Pega in the field or under development (7.1 ML9 and later) there is no direct use of the identified issues within Commons Collection. I do not know if this is also true for older versions like 6.1 SP2.
Pegasystems Inc.
US
commons-collection.jar is still distributed in Pega 7.1.10
Class Name | org.apache.commons.collections.functors.InvokerTransformer |
Location | pegajdbc://1298943102:0/commons-collections.jar |
TD Bank Financial Group
CA
My understanding is that there is only a potential vulnerability if the commons-collection.jar is being actively used by the application.
Can anyone confirm whether it is being used by Pega6.1 SP2?
Centene
US
Hi - Per https://pdn.pega.com/node/1052626 , this was fixed in 7.2. We are still on 7.1.8. Is there any fix that we need to apply to close this vulnerability in pre-7.2 versions?
Regards
Sudheesh
Pegasystems Inc.
US