You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Rob Tompkins <ch...@apache.org> on 2019/08/15 01:15:30 UTC

[SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.

CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: commons-beanutils-1.9.3 and earlier

Description: A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of
Java objects to get access to the classloader.
However this protection was not enabled by default.
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
level property access by default, thus protecting against
CVE-2014-0114.

Mitigation: 1.X users should migrate to 1.9.4.

Credit: This was discovered by Melloware (https://melloware.com/).

Example:

/**
 * Example displaying the new default behaviour such that
 * it is not possible to access class level properties utilizing the
 * BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
 */
public void testSuppressClassPropertyByDefault() throws Exception {
    final BeanUtilsBean bub = new BeanUtilsBean();
    final AlphaBean bean = new AlphaBean();
    try {
        bub.getProperty(bean, "class");
        fail("Could access class property!");
    } catch (final NoSuchMethodException ex) {
        // ok
    }
}

/**
 * Example showing how by which one would use to revert to the 
 * behaviour prior to the 1.9.4 release where class level properties were accessible by
 * the BeanUtilsBean and the PropertyUtilsBean.
 */
public void testAllowAccessToClassProperty() throws Exception {
    final BeanUtilsBean bub = new BeanUtilsBean();
    bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
    final AlphaBean bean = new AlphaBean();
    String result = bub.getProperty(bean, "class");
    assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
}

References.
[1] https://issues.apache.org/jira/browse/BEANUTILS-520
[2] http://commons.apache.org/proper/commons-beanutils/