Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16542

Update commons-beanutils version to 1.9.4

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.3.0
    • 3.3.0, 3.1.4, 3.2.2
    • None

    Description

      http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e

       

      CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean
      by default.

      Severity: Medium

      Vendor: The Apache Software Foundation

      Versions Affected: commons-beanutils-1.9.3 and earlier

      Description: A special BeanIntrospector class was added in version 1.9.2.
      This can be used to stop attackers from using the class property of
      Java objects to get access to the classloader.
      However this protection was not enabled by default.
      PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
      level property access by default, thus protecting against
      CVE-2014-0114.

      Mitigation: 1.X users should migrate to 1.9.4.

      Attachments

        1. HADOOP-16542.001.patch
          0.7 kB
          Kevin Su
        2. HADOOP-16542.002.patch
          5 kB
          Kevin Su
        3. HADOOP-16542.003.patch
          0.7 kB
          Kevin Su

        Issue Links

        relates to

        New Feature - A new feature of the product, which has yet to be developed. HADOOP-12756 Incorporate Aliyun OSS file system implementation

        • Major - Major loss of function.
        • Resolved

        Task - A task that needs to be done. HADOOP-16588 Update commons-beanutils version to 1.9.4 in branch-2

        • Critical - Crashes, loss of data, severe memory leak.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            pingsutw Kevin Su
            weichiu Wei-Chiu Chuang
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment