- Dashboard
- Release Management
- …
- Release Management Home
- Upgrade i2b2
- Older Upgrades
- Upgrade to 1.7.09b from 1.7.05+
- Attachments
- i2b2_patching_commons-collections.docx
i2b2_patching_commons-collections.docx
Option: Replace commons-collections-3.2.1.jar with patched version
JBoss 7.1.1 Instructions:
-
Shutdown JBoss
Example command for JBoss 7.1.1:
/opt/jboss/bin/jboss-cli.sh --connect :shutdown -
Change to ‘Apache Commons module’ directory
cd /opt/jboss/modules/org/apache/commons/collections/main -
Backup
existing ‘commons-collections-3.2.1.jar’ somewhere and
Replace
the file with:
https://www.i2b2.org/software/patch/commons-collections-3.2.1.jar (577604 bytes) -
Startup JBoss
Example command for JBoss 7.1.1:
/opt/jboss/bin/standalone.sh -b 0.0.0.0 &
Notes:
- The commons-collections-3.2.1.jar file located at https://www.i2b2.org/software/patch/commons-collections-3.2.1.jar has the following 3 class files (InvokerTransformer.class, InstantiateFactory.class, and InstantiateTransformer.class) removed from the JAR as outlined at https://access.redhat.com/security/vulnerabilities/2059393 which you can verify with the command to view the contents of the file by typing: jar -tf commons-collections-3.2.1.jar
- The patched file is provided on an AS-IS basis only. You can manually patch your JAR file and remove the 3 class files as outlined above.
Option: Upgrade commons-collections.3.2.1 to 3.2.2 from Apache
JBoss 7.1.1 Instructions:
- Download commons-collections.3.2.2-bin.tar.gz from Apache’s web site: https://commons.apache.org/proper/commons-collections/download_collections.cgi
- Unzip the archive on your web server using the command: tar -zxvf commons-collections.3.2.2-bin.tar.gz
- Find commons-collections.3.2.2-bin.jar from the extracted archive, and copy it to /opt/jboss/modules/org/apache/commons/collections/main
- In the /opt/jboss/modules/org/apache/commons/collections/main directory, edit the file “module.xml” to refer to commons-collections.3.2.2.jar instead of 3.2.1.