[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Hung updated HADOOP-16542: ----------------------------------- Fix Version/s: 3.2.2 3.1.4 > Update commons-beanutils version to 1.9.4 > ----------------------------------------- > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task > Affects Versions: 3.3.0 > Reporter: Wei-Chiu Chuang > Assignee: kevin su > Priority: Major > Labels: release-blocker > Fix For: 3.3.0, 3.1.4, 3.2.2 > > Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch, > HADOOP-16542.003.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org