[jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114

Wed, 22 May 2019 17:50:03 -0700 


     [ 
https://issues.apache.org/jira/browse/BEANUTILS-520?focusedWorklogId=247202&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-247202
 ]

ASF GitHub Bot logged work on BEANUTILS-520:
--------------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/May/19 00:48
            Start Date: 23/May/19 00:48
    Worklog Time Spent: 10m 
      Work Description: melloware commented on pull request #7: BEANUTILS-520: 
Mitigate CVE-2014-0114 by enabling SuppressPropertiesB…
URL: https://github.com/apache/commons-beanutils/pull/7
 
 
   Fixes CVE-2014-0114: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
   
   This patch by default enables the 
`SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS`. So you are secure by 
default.
   
   To opt-out and allow access to the "class" property making it work like 
BeanUtils 1.9.3 or lower simply add this one line of code to remove the feature.
   
   ```java
   final BeanUtilsBean bub = new BeanUtilsBean();    
bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
   ```
   
   This makes the library more secure by default and but still allows backward 
compatibility.
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 247202)
            Time Spent: 10m
    Remaining Estimate: 0h

> BeanUtils2 mitigate CVE-2014-0114
> ---------------------------------
>
>                 Key: BEANUTILS-520
>                 URL: https://issues.apache.org/jira/browse/BEANUTILS-520
>             Project: Commons BeanUtils
>          Issue Type: Improvement
>          Components: Bean / Property Utils
>    Affects Versions: 1.9.3
>            Reporter: Melloware
>            Priority: Major
>              Labels: security
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> https://nvd.nist.gov/vuln/detail/CVE-2014-0114
> Due to the above CVE in 1.9.2 they added a Suppression but it is still being 
> marked as a security risk through most major checks from OWASP and Sonatype 
> IQ.
> "commons-beanutils added a SuppressPropertiesBeanIntrospector which includes 
> a specialized instance of itself as the SUPPRESS_CLASS constant beginning in 
> version 1.9.2 that specifically suppresses the class property. +However, this 
> fix is not enabled by default.+"
> For BeanUtils2 why not make this the default and have people "enable" it if 
> it they want to get the feature.
> Thanks for your consideration.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to