Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    SmartGWT 3.1 with Apache Collections 4.1

    Hi,

    We are using SmartGWT 3.1. OOB it comes with apache collections 3.2.1.jar. However since our product needed the apache collections jar of the same version in other areas's. We kept it at a common location and made it available as part of the classpath for our SmartGWT application. That way we do not have to bundle it again under WEB-INF/lib. All this worked fine so far.

    However recently we got a security vulnerability with apache collections 3.2.1 and were asked to move to version 4.1. So we updated our common jar to 4.1 version. However post this our SmartGWT application stopped working. It wouldn't even throw any exceptions or errors. However if i put in the older 3.2.1.jar within WEB-INF/lib folder, it works.

    Any idea how do i get SmartGWT 3.1 to work with apache collections 4.1?

    Thanks

    #2
    Can some one from Isomorphic provide some details ?

    Thanks

    Comment


      #3
      Hello Sandip,

      It's very important when posting to provide all the details that are needed, otherwise, it may be impossible to help you (as in this case).

      The basic things we needed to know:

      1. what security vulnerability do you believe is present in Commons Collections? We know of one regarding serialization, but SmartGWT is not vulnerable.

      2. what do you mean when you say the application "stopped working"? Please be very, very specific. When you only say "stopped working", we can't even tell if your servlet engine started at all

      3. have you tried using just an updated jar in web-inf/lib instead of updating the jar that other software uses?

      4. why are you trying to go to 4.1 instead of just 3.2.2? If you haven't tried 3.2.2, you should probably try it

      Comment


        #4
        Sure. Here you go,

        1. Yes, i believe that's is what it is. Ok, but i think the first option i would like to take is move away from this jar.
        2. When i say it stopped working, it just returns me the context not found, the server starts, but i think the web application deployment does not happen properly. I don't get any errors/exceptions either.
        3. I'll try that and it most probably will work. But i was hoping to not duplicate the same software jar at multiple places with different versions.
        4. As a company we need to move to a newer agreed upon version across the board. And that version was decided to be 4.1.

        Comment


          #5
          Hi, I'm looking to find the non-vulnerable frameworks that were impacted by the Apache Commons Collection vulnerability issue.
          Apache Commons BeanUtils
          Apache Commons Collections
          Apache Crunch Core
          Apache Directory API
          Apache Directory Shared LDAP
          Apache Hadoop Common
          Apache Hbase - Common
          Apache Hbase - Server
          Apache Jena - Fuseki Server Standalone Jar
          Apache MyFaces JSF-2.2 Core Impl
          ApacheDS All
          ApacheDS MVCC Btree implementation
          AutoValue
          com.google.gwt gwt-dev
          Commons BeanUtils Core
          core
          ESAPI
          flink-core
          flink-shade-include-yarn
          Gradle
          hadoop-mapreduce-client-core
          Hibernate
          ISIS MetaModel
          jakarta-commons-collections
          JasperReports
          Jboss (Java Application Server)
          jcaptcha-all
          Jenkins (Java Application Server)
          JMS Transport
          jung-visualization
          larvalabs collections
          Mule Core
          OpenJPA Aggregate Jar
          OpenJPA Kernel
          OpenJPA Persistence
          OpenJPA Utilities Library
          OpenNMS (Java Application Server)
          org.apache.pig pig
          org.opensymphony.quartz quartz
          org.springframework:spring
          Quartz
          Red Hat JBoss A-MQ 6.x
          Red Hat JBoss BPM Suite (BPMS) 6.x
          Red Hat JBoss BRMS 5.x
          Red Hat JBoss BRMS 6.x
          Red Hat JBoss Data Grid (JDG) 6.x
          Red Hat JBoss Data Virtualization (JDV) 5.x
          Red Hat JBoss Data Virtualization (JDV) 6.x
          Red Hat JBoss Enterprise Application Platform 4.3.x
          Red Hat JBoss Enterprise Application Platform 5.x
          Red Hat JBoss Enterprise Application Platform 6.x
          Red Hat JBoss Fuse 6.x
          Red Hat JBoss Fuse Service Works (FSW) 6.x
          Red Hat JBoss Operations Network (JBoss ON) 3.x
          Red Hat JBoss Portal 6.x
          Red Hat JBoss SOA Platform (SOA-P) 5.x
          Red Hat JBoss Web Server (JWS) 3.x
          Red Hat OpenShift/xPAAS 3.x
          Red Hat Subscription Asset Manager 1.3
          Spring XD DIRT
          STRUTS
          Velocity:velocity-dep
          Webex All-in-one Bundle
          WebLogic (Java Application Server)
          WebSphere (Java Application Server)

          Comment

          Working...
          X