Volodymyr Siedlecki created MYFACES-4300:
--------------------------------------------
Summary: Upgrade Apache Commons Beanutils to 1.9.4
Key: MYFACES-4300
URL: https://issues.apache.org/jira/browse/MYFACES-4300
Project: MyFaces Core
Issue Type: Improvement
Components: JSR-344, JSR-372
Affects Versions: 2.3.4, 2.2.12
Reporter: Volodymyr Siedlecki
Hello,
A security vulnerability (CVE-2019-10086) was discovered in Apache Commons
Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue
https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security
issue (CVE-2014-0114) but was found *not* vulnerable.
It was discovered that 1.9.2 had added a special BeanIntrospector class that
prevents attackers from using the class property of all java objects to access
the class loader. However, this behavior was not set as the default (1).
It does not appear that MyFaces is vulnerable to this new vulnerability since
there are only a few non-vulnerable startup uses of Apache Commons Beanutils in
the MyFaces code:
impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
BeanUtils.setProperty(converter, property.getPropertyName(),
property.getDefaultValue())
impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
However, I hope you may still upgrade MyFaces to use the latest update of
Apache Commons Beanutil, version 1.9.4.
I’ve added patches for 2.2.x, 2.3.x, master. All three have build successfully
when I tested the update.
1.
http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3E
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
