[
https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16926551#comment-16926551
]
Hudson commented on HADOOP-16542:
---------------------------------
FAILURE: Integrated in Jenkins build Hadoop-trunk-Commit #17268 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/17268/])
HADOOP-16542. Update commons-beanutils version to 1.9.4. Contributed by
(weichiu: rev 38c1a10024476ae78975e4dc7d27a1524722b79d)
* (edit) hadoop-project/pom.xml
> Update commons-beanutils version to 1.9.4
> -----------------------------------------
>
> Key: HADOOP-16542
> URL: https://issues.apache.org/jira/browse/HADOOP-16542
> Project: Hadoop Common
> Issue Type: Task
> Affects Versions: 2.10.0, 3.3.0
> Reporter: Wei-Chiu Chuang
> Assignee: kevin su
> Priority: Major
> Labels: release-blocker
> Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch,
> HADOOP-16542.003.patch
>
>
> [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e]
> {quote}
> CVE-2019-10086. Apache Commons Beanutils does not suppresses the class
> property in PropertyUtilsBean
> by default.
> Severity: Medium
> Vendor: The Apache Software Foundation
> Versions Affected: commons-beanutils-1.9.3 and earlier
> Description: A special BeanIntrospector class was added in version 1.9.2.
> This can be used to stop attackers from using the class property of
> Java objects to get access to the classloader.
> However this protection was not enabled by default.
> PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
> level property access by default, thus protecting against
> CVE-2014-0114.
> Mitigation: 1.X users should migrate to 1.9.4.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
