[
https://issues.apache.org/jira/browse/SOLR-9153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15359651#comment-15359651
]
Gregory Chanan commented on SOLR-9153:
--------------------------------------
My reading of BEANUTILS-463 and the 1.9.2 release notes is that 1.9.2 only
contains a fix, it doesn't actually apply the fix by default. E.g. from the
release notes:
{code}
* [BEANUTILS-463]
Added new SuppressPropertiesBeanIntrospector class to deal with a potential
class loader vulnerability.
{code}
> Update beanutils version to 1.9.2
> ---------------------------------
>
> Key: SOLR-9153
> URL: https://issues.apache.org/jira/browse/SOLR-9153
> Project: Solr
> Issue Type: Bug
> Components: contrib - Velocity
> Affects Versions: 6.0
> Reporter: Mike Drob
> Priority: Minor
> Attachments: SOLR-9153.patch
>
>
> See CVE-2014-0114 --
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
> {quote}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
> in Apache Struts 1.x through 1.3.10 and in other products requiring
> commons-beanutils through 1.9.2, does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
> code via the class parameter, as demonstrated by the passing of this
> parameter to the getClass method of the ActionForm object in Struts 1.
> {quote}
> We transitively depend on BeanUtils through Velocity, but it doesn't look
> like there is much movement on the project there. See BEANUTILS-463 and
> VELTOOLS-170
> Also, this might have impact on SOLR-3736 but that issue also looks largely
> abandoned.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
