You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Volodymyr Siedlecki (Jira)" <de...@myfaces.apache.org> on 2019/09/17 17:35:00 UTC

[jira] [Created] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4

Volodymyr Siedlecki created MYFACES-4300:
--------------------------------------------

             Summary: Upgrade Apache Commons Beanutils to 1.9.4
                 Key: MYFACES-4300
                 URL: https://issues.apache.org/jira/browse/MYFACES-4300
             Project: MyFaces Core
          Issue Type: Improvement
          Components: JSR-344, JSR-372
    Affects Versions: 2.3.4, 2.2.12
            Reporter: Volodymyr Siedlecki


Hello,

A security vulnerability (CVE-2019-10086) was discovered in Apache Commons Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security issue (CVE-2014-0114) but was found *not* vulnerable.

It was discovered that 1.9.2 had added a special BeanIntrospector class that prevents attackers from using the class property of all java objects to access the class loader. However, this behavior was not set as the default (1).

It does not appear that MyFaces is vulnerable to this new vulnerability since there are only a few non-vulnerable startup uses of Apache Commons Beanutils in the MyFaces code:

impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
 BeanUtils.setProperty(converter, property.getPropertyName(), property.getDefaultValue())

impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
 if (PropertyUtils.isReadable(bean, property.getPropertyName()))
 if (PropertyUtils.isReadable(bean, property.getPropertyName()))

However, I hope you may still upgrade MyFaces to use the latest update of Apache Commons Beanutil, version 1.9.4.

I’ve added patches for 2.2.x, 2.3.x, master. All three have build successfully when I tested the update.

1. http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3CC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3E
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086

 



--
This message was sent by Atlassian Jira
(v8.3.2#803003)