[
https://issues.apache.org/jira/browse/KAFKA-19359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17965208#comment-17965208
]
Luke Chen commented on KAFKA-19359:
-----------------------------------
This PR: [https://github.com/apache/kafka/pull/19939] is to bump the
`commons-beanutils` dependency version to 1.11.0 to resolve the CVE. After
`commons-validator` has new release, we should remove this `commons-beanutils`
version bump workaround in this PR. Closing this ticket.
> [8.8] [CVE-2025-48734] [commons-beanutils] [1.9.4]
> --------------------------------------------------
>
> Key: KAFKA-19359
> URL: https://issues.apache.org/jira/browse/KAFKA-19359
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 4.0.0
> Reporter: Surojeet Ghosh
> Priority: Major
>
> This security defect has been flagged by *aqua container scan.* Description
> of security defect is given below :-
> *Aqua Description :* Improper Access Control vulnerability in Apache Commons.
> A special BeanIntrospector class was added in version 1.9.2. This can be used
> to stop attackers from using the declared class property of Java enum objects
> to get access to the classloader. However this protection was not enabled by
> default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows
> declared class level property access by default.
> Releases 1.11.0 and 2.0.0-M2 address a potential security issue when
> accessing enum properties in an uncontrolled way. If an application using
> Commons BeanUtils passes property paths from an external source directly to
> the getProperty() method of PropertyUtilsBean, an attacker can access the
> enum's class loader via the "declaredClass" property available on all Java
> "enum" objects. Accessing the enum's "declaredClass" allows remote attackers
> to access the ClassLoader and execute arbitrary code. The same issue exists
> with PropertyUtilsBean.getNestedProperty().
> Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector
> suppresses the "declaredClass" property. Note that this new BeanIntrospector
> is enabled by default, but you can disable it to regain the old behavior; see
> section 2.5 of the user's guide and the unit tests.
> This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before
> 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
> 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
> Users of the artifact org.apache.commons:commons-beanutils2
> 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
> *My Review*
> I checked this defect is due to commons-validator version 1.9.0 used in kafka
> v4.0.0.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
