You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2019/08/15 12:57:24 UTC

[commons-beanutils] 01/02: (docs) rework from Sebb on CVE description

This is an automated email from the ASF dual-hosted git repository.

chtompki pushed a commit to branch 1.X
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git

commit dd8e3b5935bc32531dfe8821a8561209b3b8d2b3
Author: Rob Tompkins <ch...@gmail.com>
AuthorDate: Tue Aug 13 20:38:51 2019 -0400

    (docs) rework from Sebb on CVE description
---
 src/site/xdoc/index.xml | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index bc7508a..75083ed 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -103,14 +103,20 @@ Bean Collections has an additional dependency on
     <strong>Severity.</strong> Medium<br/><br/>
     <strong>Vendor.</strong> The Apache Software Foundation<br/><br/>
     <strong>Versions Affected.</strong> All versions commons-beanutils-1.9.3 and before.<br/><br/>
-    <strong>Description.</strong> In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for
-    an attacker to access the classloader via the class property available on all Java objects. We, however were not
-    using this by default characteristic of the PropertyUtilsBean.<br/><br/>
+    <strong>Description.</strong> A special BeanIntrospector class was added in version 1.9.2.
+    This can be used to stop attackers from using the class property of
+    Java objects to get access to the classloader.
+    However this protection was not enabled by default.
+    PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
+    level property access by default, thus protecting against
+    CVE-2014-0114.<br/><br/>
     <strong>Mitigation.</strong> Upgrade to commons-beanutils-1.9.4<br/><br/>
     <strong>Credit.</strong> This was discovered by Melloware (https://melloware.com/).<br/><br/>
     <strong>Example.</strong>
     <source>/**
-* Example usage after 1.9.4
+* Example displaying the new default behaviour such that
+* it is not possible to access class level properties utilizing the
+* BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
 */
 public void testSuppressClassPropertyByDefault() throws Exception {
   final BeanUtilsBean bub = new BeanUtilsBean();
@@ -124,7 +130,9 @@ public void testSuppressClassPropertyByDefault() throws Exception {
 }
 
 /**
-* Example usage to restore 1.9.3 behaviour
+* Example showing how by which one would use to revert to the
+* behaviour prior to the 1.9.4 release where class level properties were accessible by
+* the BeanUtilsBean and the PropertyUtilsBean.
 */
 public void testAllowAccessToClassProperty() throws Exception {
   final BeanUtilsBean bub = new BeanUtilsBean();