You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Volodymyr Siedlecki (Jira)" <de...@myfaces.apache.org> on 2019/09/17 17:35:00 UTC
[jira] [Created] (MYFACES-4300) Upgrade Apache Commons Beanutils to
1.9.4
Volodymyr Siedlecki created MYFACES-4300:
--------------------------------------------
Summary: Upgrade Apache Commons Beanutils to 1.9.4
Key: MYFACES-4300
URL: https://issues.apache.org/jira/browse/MYFACES-4300
Project: MyFaces Core
Issue Type: Improvement
Components: JSR-344, JSR-372
Affects Versions: 2.3.4, 2.2.12
Reporter: Volodymyr Siedlecki
Hello,
A security vulnerability (CVE-2019-10086) was discovered in Apache Commons Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security issue (CVE-2014-0114) but was found *not* vulnerable.
It was discovered that 1.9.2 had added a special BeanIntrospector class that prevents attackers from using the class property of all java objects to access the class loader. However, this behavior was not set as the default (1).
It does not appear that MyFaces is vulnerable to this new vulnerability since there are only a few non-vulnerable startup uses of Apache Commons Beanutils in the MyFaces code:
impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
BeanUtils.setProperty(converter, property.getPropertyName(), property.getDefaultValue())
impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
However, I hope you may still upgrade MyFaces to use the latest update of Apache Commons Beanutil, version 1.9.4.
I’ve added patches for 2.2.x, 2.3.x, master. All three have build successfully when I tested the update.
1. http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3CC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3E
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
--
This message was sent by Atlassian Jira
(v8.3.2#803003)