'[jira] [Created] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       myfaces-dev
Subject:    [jira] [Created] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4
From:       "Volodymyr Siedlecki (Jira)" <dev () myfaces ! apache ! org>
Date:       2019-09-17 17:35:00
Message-ID: JIRA.13257179.1568741658000.78248.1568741700390 () Atlassian ! JIRA
[Download RAW message or body]

Volodymyr Siedlecki created MYFACES-4300:
--------------------------------------------

             Summary: Upgrade Apache Commons Beanutils to 1.9.4
                 Key: MYFACES-4300
                 URL: https://issues.apache.org/jira/browse/MYFACES-4300
             Project: MyFaces Core
          Issue Type: Improvement
          Components: JSR-344, JSR-372
    Affects Versions: 2.3.4, 2.2.12
            Reporter: Volodymyr Siedlecki


Hello,

A security vulnerability (CVE-2019-10086) was discovered in Apache Commons Beanutils \
1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue \
https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security issue \
(CVE-2014-0114) but was found *not* vulnerable.

It was discovered that 1.9.2 had added a special BeanIntrospector class that prevents \
attackers from using the class property of all java objects to access the class \
loader. However, this behavior was not set as the default (1).

It does not appear that MyFaces is vulnerable to this new vulnerability since there \
are only a few non-vulnerable startup uses of Apache Commons Beanutils in the MyFaces \
code:

impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
 BeanUtils.setProperty(converter, property.getPropertyName(), \
property.getDefaultValue())

impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
 if (PropertyUtils.isReadable(bean, property.getPropertyName()))
 if (PropertyUtils.isReadable(bean, property.getPropertyName()))

However, I hope you may still upgrade MyFaces to use the latest update of Apache \
Commons Beanutil, version 1.9.4.

I've added patches for 2.2.x, 2.3.x, master. All three have build successfully when I \
tested the update.

1. http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3CC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3E
 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086

  



--
This message was sent by Atlassian Jira
(v8.3.2#803003)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic