You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2019/08/15 12:57:24 UTC
[commons-beanutils] 01/02: (docs) rework from Sebb on CVE
description
This is an automated email from the ASF dual-hosted git repository.
chtompki pushed a commit to branch 1.X
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
commit dd8e3b5935bc32531dfe8821a8561209b3b8d2b3
Author: Rob Tompkins <ch...@gmail.com>
AuthorDate: Tue Aug 13 20:38:51 2019 -0400
(docs) rework from Sebb on CVE description
---
src/site/xdoc/index.xml | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index bc7508a..75083ed 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -103,14 +103,20 @@ Bean Collections has an additional dependency on
<strong>Severity.</strong> Medium<br/><br/>
<strong>Vendor.</strong> The Apache Software Foundation<br/><br/>
<strong>Versions Affected.</strong> All versions commons-beanutils-1.9.3 and before.<br/><br/>
- <strong>Description.</strong> In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for
- an attacker to access the classloader via the class property available on all Java objects. We, however were not
- using this by default characteristic of the PropertyUtilsBean.<br/><br/>
+ <strong>Description.</strong> A special BeanIntrospector class was added in version 1.9.2.
+ This can be used to stop attackers from using the class property of
+ Java objects to get access to the classloader.
+ However this protection was not enabled by default.
+ PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
+ level property access by default, thus protecting against
+ CVE-2014-0114.<br/><br/>
<strong>Mitigation.</strong> Upgrade to commons-beanutils-1.9.4<br/><br/>
<strong>Credit.</strong> This was discovered by Melloware (https://melloware.com/).<br/><br/>
<strong>Example.</strong>
<source>/**
-* Example usage after 1.9.4
+* Example displaying the new default behaviour such that
+* it is not possible to access class level properties utilizing the
+* BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
*/
public void testSuppressClassPropertyByDefault() throws Exception {
final BeanUtilsBean bub = new BeanUtilsBean();
@@ -124,7 +130,9 @@ public void testSuppressClassPropertyByDefault() throws Exception {
}
/**
-* Example usage to restore 1.9.3 behaviour
+* Example showing how by which one would use to revert to the
+* behaviour prior to the 1.9.4 release where class level properties were accessible by
+* the BeanUtilsBean and the PropertyUtilsBean.
*/
public void testAllowAccessToClassProperty() throws Exception {
final BeanUtilsBean bub = new BeanUtilsBean();