Option: Replace commons-collections-3.2.1.jar with patched version

JBoss 7.1.1 Instructions:

1. Shutdown JBoss
   Example command for JBoss 7.1.1:
   /opt/jboss/bin/jboss-cli.sh --connect :shutdown
2. Change to ‘Apache Commons module’ directory
   cd /opt/jboss/modules/org/apache/commons/collections/main
3. Backup existing ‘commons-collections-3.2.1.jar’ somewhere and Replace the file with:
   https://www.i2b2.org/software/patch/commons-collections-3.2.1.jar    (577604 bytes)
4. Startup JBoss
   Example command for JBoss 7.1.1:
   /opt/jboss/bin/standalone.sh -b 0.0.0.0 &
    

Notes:

• The commons-collections-3.2.1.jar file located at https://www.i2b2.org/software/patch/commons-collections-3.2.1.jar has the following 3 class files (InvokerTransformer.class, InstantiateFactory.class, and InstantiateTransformer.class) removed from the JAR as outlined at https://access.redhat.com/security/vulnerabilities/2059393 which you can verify with the command to view the contents of the file by typing: jar -tf commons-collections-3.2.1.jar
• The patched file is provided on an AS-IS basis only. You can manually patch your JAR file and remove the 3 class files as outlined above.

Option: Upgrade commons-collections.3.2.1 to 3.2.2 from Apache

JBoss 7.1.1 Instructions:

1. Download commons-collections.3.2.2-bin.tar.gz from Apache’s web site: https://commons.apache.org/proper/commons-collections/download_collections.cgi
2. Unzip the archive on your web server using the command:  tar -zxvf commons-collections.3.2.2-bin.tar.gz
3. Find commons-collections.3.2.2-bin.jar from the extracted archive, and copy it to /opt/jboss/modules/org/apache/commons/collections/main
4. In the /opt/jboss/modules/org/apache/commons/collections/main directory, edit the file “module.xml” to refer to commons-collections.3.2.2.jar instead of 3.2.1.