[prev in list] [next in list] [prev in thread] [next in thread]
List: myfaces-dev
Subject: [jira] [Created] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4
From: "Volodymyr Siedlecki (Jira)" <dev () myfaces ! apache ! org>
Date: 2019-09-17 17:35:00
Message-ID: JIRA.13257179.1568741658000.78248.1568741700390 () Atlassian ! JIRA
[Download RAW message or body]
Volodymyr Siedlecki created MYFACES-4300:
--------------------------------------------
Summary: Upgrade Apache Commons Beanutils to 1.9.4
Key: MYFACES-4300
URL: https://issues.apache.org/jira/browse/MYFACES-4300
Project: MyFaces Core
Issue Type: Improvement
Components: JSR-344, JSR-372
Affects Versions: 2.3.4, 2.2.12
Reporter: Volodymyr Siedlecki
Hello,
A security vulnerability (CVE-2019-10086) was discovered in Apache Commons Beanutils \
1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue \
https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security issue \
(CVE-2014-0114) but was found *not* vulnerable.
It was discovered that 1.9.2 had added a special BeanIntrospector class that prevents \
attackers from using the class property of all java objects to access the class \
loader. However, this behavior was not set as the default (1).
It does not appear that MyFaces is vulnerable to this new vulnerability since there \
are only a few non-vulnerable startup uses of Apache Commons Beanutils in the MyFaces \
code:
impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
BeanUtils.setProperty(converter, property.getPropertyName(), \
property.getDefaultValue())
impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
However, I hope you may still upgrade MyFaces to use the latest update of Apache \
Commons Beanutil, version 1.9.4.
I've added patches for 2.2.x, 2.3.x, master. All three have build successfully when I \
tested the update.
1. http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3CC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3E
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic