[jira] [Comment Edited] (HADOOP-16542) Update commons-beanutils version

Tue, 03 Sep 2019 10:38:32 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16921595#comment-16921595
 ] 

Wei-Chiu Chuang edited comment on HADOOP-16542 at 9/3/19 5:37 PM:
------------------------------------------------------------------

FWIW commons-beanutils was added in HADOOP-12756 to support Aliyu OSS cloud 
connector (available in 2.9.1 and above). It's probably okay to remove it since 
it was not added for the Hadoop core codebase, and I don't expect downstream 
applications to depend on it.


was (Author: jojochuang):
FWIW commons-beanutils was added in HADOOP-12756 to support Aliyu OSS cloud 
connector. It's probably okay to remove it since it was not added for the 
Hadoop core codebase, and I don't expect downstream applications to depend on 
it.

> Update commons-beanutils version
> --------------------------------
>
>                 Key: HADOOP-16542
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16542
>             Project: Hadoop Common
>          Issue Type: Task
>    Affects Versions: 2.10.0, 3.3.0
>            Reporter: Wei-Chiu Chuang
>            Assignee: kevin su
>            Priority: Major
>              Labels: release-blocker
>         Attachments: HADOOP-16542.001.patch
>
>
> [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3e]
>  {quote}
> CVE-2019-10086. Apache Commons Beanutils does not suppresses the class 
> property in PropertyUtilsBean
> by default.
> Severity: Medium
> Vendor: The Apache Software Foundation
> Versions Affected: commons-beanutils-1.9.3 and earlier
> Description: A special BeanIntrospector class was added in version 1.9.2.
> This can be used to stop attackers from using the class property of
> Java objects to get access to the classloader.
> However this protection was not enabled by default.
> PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
> level property access by default, thus protecting against
> CVE-2014-0114.
> Mitigation: 1.X users should migrate to 1.9.4.
> {quote}



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to