[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16926551#comment-16926551 ]
Hudson commented on HADOOP-16542: --------------------------------- FAILURE: Integrated in Jenkins build Hadoop-trunk-Commit #17268 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/17268/]) HADOOP-16542. Update commons-beanutils version to 1.9.4. Contributed by (weichiu: rev 38c1a10024476ae78975e4dc7d27a1524722b79d) * (edit) hadoop-project/pom.xml > Update commons-beanutils version to 1.9.4 > ----------------------------------------- > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task > Affects Versions: 2.10.0, 3.3.0 > Reporter: Wei-Chiu Chuang > Assignee: kevin su > Priority: Major > Labels: release-blocker > Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch, > HADOOP-16542.003.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org