You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Bill Lucy (Jira)" <de...@myfaces.apache.org> on 2019/09/19 19:35:00 UTC

[jira] [Commented] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4

    [ https://issues.apache.org/jira/browse/MYFACES-4300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16933712#comment-16933712 ] 

Bill Lucy commented on MYFACES-4300:
------------------------------------

Thanks for the patch, [~volosied]!  I've applied your patch from the 2.0 - master branches.

> Upgrade Apache Commons Beanutils to 1.9.4
> -----------------------------------------
>
>                 Key: MYFACES-4300
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4300
>             Project: MyFaces Core
>          Issue Type: Improvement
>          Components: JSR-344, JSR-372
>    Affects Versions: 2.2.12, 2.3.4
>            Reporter: Volodymyr Siedlecki
>            Priority: Minor
>         Attachments: MYFACES-4300-22x.patch, MYFACES-4300-23x.patch, MYFACES-4300-master.patch
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> Hello,
> A security vulnerability (CVE-2019-10086) was discovered in Apache Commons Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security issue (CVE-2014-0114) but was found *not* vulnerable.
> As for the current vulnerability, 1.9.2 had added a special BeanIntrospector class that prevents attackers from using the class property of all java objects to access the class loader. However, _this behavior was not set as the default_ (1).
> It does not appear that MyFaces is vulnerable to this new vulnerability since there are only a few non-vulnerable startup uses of Apache Commons Beanutils in the MyFaces code:
> impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
>  BeanUtils.setProperty(converter, property.getPropertyName(), property.getDefaultValue())
> impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
>  if (PropertyUtils.isReadable(bean, property.getPropertyName()))
>  if (PropertyUtils.isReadable(bean, property.getPropertyName()))
> However, I hope you may still upgrade MyFaces to use the latest update of Apache Commons Beanutil, version 1.9.4.
> I’ve added patches for 2.2.x, 2.3.x, master. All three have build successfully when I tested the update.
> 1. [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3CC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3E]
>  2. [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)