[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
kevin su updated HADOOP-16542: ------------------------------ Attachment: HADOOP-16542.001.patch > Update commons-beanutils version > -------------------------------- > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task > Affects Versions: 3.3.0 > Reporter: Wei-Chiu Chuang > Assignee: kevin su > Priority: Major > Attachments: HADOOP-16542.001.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org