Our security group is asking about CVE-2015-7501 and CVE-2015-4852 regarding commons-collections. 12.1 Release 240 of Web Viewer includes:
.../tomcat/webapps/ROOT/WEB-INF/lib/commons-collections-3.1.jar
.../tomcat/webapps/ROOT/WEB-INF/lib/commons-collections-3.2.2.jar
Is there any reason for having 3.1 and 3.2.2 ? Can 3.1 file be deleted from war file?
The commons-collections-3.1.jar in our /lib file is a stub containing only the 1-line Manifest file. It is no longer needed for installation and the commons-collections-3.2.2.jar is used.
The ../tomcat/webapps/ROOT/WEB-INF/lib/commons-collections-3.1.jar can be deleted. The problem is our installation process does not permit deleting files, so the commons-collections-3.1.jar unfortunately remains. Please feel free to delete the 3.1 file and be aware that you will need to do that also when applying future builds.