[jira] [Resolved] (HDDS-13287) Upgrade Commons BeanUtils to 1.11.0 due to CVE-2025-48734

Tue, 17 Jun 2025 11:47:04 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-13287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Doroszlai resolved HDDS-13287.
-------------------------------------
    Fix Version/s: 2.1.0
         Assignee: Rohit Kumar
       Resolution: Done

> Upgrade Commons BeanUtils to 1.11.0 due to CVE-2025-48734
> ---------------------------------------------------------
>
>                 Key: HDDS-13287
>                 URL: https://issues.apache.org/jira/browse/HDDS-13287
>             Project: Apache Ozone
>          Issue Type: Task
>            Reporter: Rohit Kumar
>            Assignee: Rohit Kumar
>            Priority: Major
>             Fix For: 2.1.0
>
>
> h2. Description
>  
>  
> *CVE-2025-48734:*
> Improper Access Control vulnerability in Apache Commons. A special 
> BeanIntrospector class was added in version 1.9.2. This can be used to stop 
> attackers from using the declared class property of Java enum objects to get 
> access to the classloader. However this protection was not enabled by 
> default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows 
> declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 
> address a potential security issue when accessing enum properties in an 
> uncontrolled way. If an application using Commons BeanUtils passes property 
> paths from an external source directly to the getProperty() method of 
> PropertyUtilsBean, an attacker can access the enum’s class loader via the 
> “declaredClass” property available on all Java “enum” objects. Accessing the 
> enum’s “declaredClass” allows remote attackers to access the ClassLoader and 
> execute arbitrary code. The same issue exists with 
> PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 
> 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. 
> Note that this new BeanIntrospector is enabled by default, but you can 
> disable it to regain the old behavior; see section 2.5 of the user's guide 
> and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 
> 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact 
> commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 
> 1.11.0, which fixes the issue. Users of the artifact 
> org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to 
> version 2.0.0-M2, which fixes the issue.
> [https://nvd.nist.gov/vuln/detail/CVE-2025-48734] 
> Base Score: 8.8 HIGH



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to