Wei-Chiu Chuang created HADOOP-16542:
----------------------------------------
Summary: Update commons-beanutils version
Key: HADOOP-16542
URL: https://issues.apache.org/jira/browse/HADOOP-16542
Project: Hadoop Common
Issue Type: Task
Affects Versions: 3.3.0
Reporter: Wei-Chiu Chuang
[http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e]
{quote}
CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property
in PropertyUtilsBean
by default.
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: commons-beanutils-1.9.3 and earlier
Description: A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of
Java objects to get access to the classloader.
However this protection was not enabled by default.
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
level property access by default, thus protecting against
CVE-2014-0114.
Mitigation: 1.X users should migrate to 1.9.4.
{quote}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
