[HADOOP-16542] Update commons-beanutils version to 1.9.4 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.0
Fix Version/s: 3.3.0, 3.1.4, 3.2.2
Component/s: None
Labels:
- release-blocker

Description

http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e

CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean
by default.

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: commons-beanutils-1.9.3 and earlier

Description: A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of
Java objects to get access to the classloader.
However this protection was not enabled by default.
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
level property access by default, thus protecting against
CVE-2014-0114.

Mitigation: 1.X users should migrate to 1.9.4.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-16542.001.patch
03/Sep/19 16:16
0.7 kB
Kevin Su
HADOOP-16542.002.patch
04/Sep/19 05:54
5 kB
Kevin Su
HADOOP-16542.003.patch
05/Sep/19 05:48
0.7 kB
Kevin Su

Issue Links

relates to

HADOOP-12756 Incorporate Aliyun OSS file system implementation

Resolved

HADOOP-18991 Remove commons-beanutils dependency from Hadoop 3

Open

HADOOP-16588 Update commons-beanutils version to 1.9.4 in branch-2

Resolved

Activity

People

Assignee:: Kevin Su

Reporter:: Wei-Chiu Chuang

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 03/Sep/19 13:32

Updated:: 27/Nov/23 09:48

Resolved:: 10/Sep/19 12:56