Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16542

Update commons-beanutils version to 1.9.4

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.3.0
    • Fix Version/s: 3.3.0, 3.1.4, 3.2.2
    • Component/s: None
    • Labels:

      Description

      http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e

       

      CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean
      by default.

      Severity: Medium

      Vendor: The Apache Software Foundation

      Versions Affected: commons-beanutils-1.9.3 and earlier

      Description: A special BeanIntrospector class was added in version 1.9.2.
      This can be used to stop attackers from using the class property of
      Java objects to get access to the classloader.
      However this protection was not enabled by default.
      PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
      level property access by default, thus protecting against
      CVE-2014-0114.

      Mitigation: 1.X users should migrate to 1.9.4.

        Attachments

        1. HADOOP-16542.003.patch
          0.7 kB
          kevin su
        2. HADOOP-16542.002.patch
          5 kB
          kevin su
        3. HADOOP-16542.001.patch
          0.7 kB
          kevin su

          Issue Links

            Activity

              People

              • Assignee:
                pingsutw kevin su
                Reporter:
                weichiu Wei-Chiu Chuang
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: