[
https://issues.apache.org/jira/browse/SOLR-9153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Drob updated SOLR-9153:
----------------------------
Attachment: SOLR-9153.patch
Attaching a very simple patch for this. Our tests pass, but they also don't
stress the Velocity library very hard, so there is still a chance to
inadvertently break something.
> Update beanutils version to 1.9.2
> ---------------------------------
>
> Key: SOLR-9153
> URL: https://issues.apache.org/jira/browse/SOLR-9153
> Project: Solr
> Issue Type: Bug
> Components: contrib - Velocity
> Affects Versions: 6.0
> Reporter: Mike Drob
> Priority: Minor
> Attachments: SOLR-9153.patch
>
>
> See CVE-2014-0114 --
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
> {quote}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
> in Apache Struts 1.x through 1.3.10 and in other products requiring
> commons-beanutils through 1.9.2, does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
> code via the class parameter, as demonstrated by the passing of this
> parameter to the getClass method of the ActionForm object in Struts 1.
> {quote}
> We transitively depend on BeanUtils through Velocity, but it doesn't look
> like there is much movement on the project there. See BEANUTILS-463 and
> VELTOOLS-170
> Also, this might have impact on SOLR-3736 but that issue also looks largely
> abandoned.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
