CVE-2015-750 CVE-2015-4852 commons-collections 3.1 Web Viewer 12.1
search cancel

CVE-2015-750 CVE-2015-4852 commons-collections 3.1 Web Viewer 12.1

book

Article ID: 278060

calendar_today

Updated On:

Products

Output Management Web Viewer

Issue/Introduction

Our security group is asking about CVE-2015-7501 and CVE-2015-4852 regarding commons-collections.  12.1 Release 240 of Web Viewer includes:

.../tomcat/webapps/ROOT/WEB-INF/lib/commons-collections-3.1.jar
.../tomcat/webapps/ROOT/WEB-INF/lib/commons-collections-3.2.2.jar

Is there any reason for having 3.1 and 3.2.2 ?   Can 3.1 file be deleted from war file?

Environment

  • Apache Tomcat® 9
  • Output Management Web Viewer 12.1

Resolution

The commons-collections-3.1.jar​ in our /lib file is a stub containing only the 1-line Manifest file.  It is no longer needed for installation and the commons-collections-3.2.2.jar is used.

The ../tomcat/webapps/ROOT/WEB-INF/lib/commons-collections-3.1.jar can be deleted. The problem is our installation process does not permit deleting files, so the commons-collections-3.1.jar​ unfortunately remains. Please feel free to delete the 3.1 file and be aware that you will need to do that also when applying future builds.