'[jira] [Commented] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       myfaces-dev
Subject:    [jira] [Commented] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4
From:       "Volodymyr Siedlecki (Jira)" <dev () myfaces ! apache ! org>
Date:       2019-09-20 13:58:00
Message-ID: JIRA.13257179.1568741658000.21497.1568987880366 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/MYFACES-4300?page=com.atlassian.jira.plugi \
n.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934422#comment-16934422 ] \


Volodymyr Siedlecki commented on MYFACES-4300:
----------------------------------------------

Thank you, [~wtlucy]!

> Upgrade Apache Commons Beanutils to 1.9.4
> -----------------------------------------
> 
> Key: MYFACES-4300
> URL: https://issues.apache.org/jira/browse/MYFACES-4300
> Project: MyFaces Core
> Issue Type: Improvement
> Components: JSR-344, JSR-372
> Affects Versions: 2.2.12, 2.3.4
> Reporter: Volodymyr Siedlecki
> Assignee: Bill Lucy
> Priority: Minor
> Fix For: 2.0.25-SNAPSHOT, 2.1.19-SNAPSHOT, 2.2.13-SNAPSHOT, 3.0.0-SNAPSHOT, \
> 2.3.5-SNAPSHOT 
> Attachments: MYFACES-4300-22x.patch, MYFACES-4300-23x.patch, \
> MYFACES-4300-master.patch 
> Time Spent: 1h 40m
> Remaining Estimate: 0h
> 
> Hello,
> A security vulnerability (CVE-2019-10086) was discovered in Apache Commons \
> Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue \
> https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security \
> issue (CVE-2014-0114) but was found *not* vulnerable. As for the current \
> vulnerability, 1.9.2 had added a special BeanIntrospector class that prevents \
> attackers from using the class property of all java objects to access the class \
> loader. However, _this behavior was not set as the default_ (1). It does not appear \
> that MyFaces is vulnerable to this new vulnerability since there are only a few \
> non-vulnerable startup uses of Apache Commons Beanutils in the MyFaces code: \
> impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java \
> BeanUtils.setProperty(converter, property.getPropertyName(), \
> property.getDefaultValue()) \
> impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java if \
> (PropertyUtils.isReadable(bean, property.getPropertyName())) if \
> (PropertyUtils.isReadable(bean, property.getPropertyName())) However, I hope you \
> may still upgrade MyFaces to use the latest update of Apache Commons Beanutil, \
> version 1.9.4. I've added patches for 2.2.x, 2.3.x, master. All three have build \
> successfully when I tested the update. 1. \
> [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3CC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3E]
>  2. [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086]
> 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic