[jira] [Commented] (MYFACES-4300) Upgrade Apache Commons Beanutils to 1.9.4

[Volodymyr Siedlecki (Jira)]

    [ 
https://issues.apache.org/jira/browse/MYFACES-4300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934422#comment-16934422
 ] 

Volodymyr Siedlecki commented on MYFACES-4300:
----------------------------------------------

Thank you, [~wtlucy]!

> Upgrade Apache Commons Beanutils to 1.9.4
> -----------------------------------------
>
>                 Key: MYFACES-4300
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4300
>             Project: MyFaces Core
>          Issue Type: Improvement
>          Components: JSR-344, JSR-372
>    Affects Versions: 2.2.12, 2.3.4
>            Reporter: Volodymyr Siedlecki
>            Assignee: Bill Lucy
>            Priority: Minor
>             Fix For: 2.0.25-SNAPSHOT, 2.1.19-SNAPSHOT, 2.2.13-SNAPSHOT, 
> 3.0.0-SNAPSHOT, 2.3.5-SNAPSHOT
>
>         Attachments: MYFACES-4300-22x.patch, MYFACES-4300-23x.patch, 
> MYFACES-4300-master.patch
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> Hello,
> A security vulnerability (CVE-2019-10086) was discovered in Apache Commons 
> Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue 
> https://issues.apache.org/jira/browse/MYFACES-4032 relating to another 
> security issue (CVE-2014-0114) but was found *not* vulnerable.
> As for the current vulnerability, 1.9.2 had added a special BeanIntrospector 
> class that prevents attackers from using the class property of all java 
> objects to access the class loader. However, _this behavior was not set as 
> the default_ (1).
> It does not appear that MyFaces is vulnerable to this new vulnerability since 
> there are only a few non-vulnerable startup uses of Apache Commons Beanutils 
> in the MyFaces code:
> impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
>  BeanUtils.setProperty(converter, property.getPropertyName(), 
> property.getDefaultValue())
> impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
>  if (PropertyUtils.isReadable(bean, property.getPropertyName()))
>  if (PropertyUtils.isReadable(bean, property.getPropertyName()))
> However, I hope you may still upgrade MyFaces to use the latest update of 
> Apache Commons Beanutil, version 1.9.4.
> I’ve added patches for 2.2.x, 2.3.x, master. All three have build 
> successfully when I tested the update.
> 1. 
> [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3E]
>  2. [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)