[ https://issues.apache.org/jira/browse/MYFACES-4300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16933712#comment-16933712 ]
Bill Lucy commented on MYFACES-4300: ------------------------------------ Thanks for the patch, [~volosied]! I've applied your patch from the 2.0 - master branches. > Upgrade Apache Commons Beanutils to 1.9.4 > ----------------------------------------- > > Key: MYFACES-4300 > URL: https://issues.apache.org/jira/browse/MYFACES-4300 > Project: MyFaces Core > Issue Type: Improvement > Components: JSR-344, JSR-372 > Affects Versions: 2.2.12, 2.3.4 > Reporter: Volodymyr Siedlecki > Priority: Minor > Attachments: MYFACES-4300-22x.patch, MYFACES-4300-23x.patch, > MYFACES-4300-master.patch > > Time Spent: 1h 40m > Remaining Estimate: 0h > > Hello, > A security vulnerability (CVE-2019-10086) was discovered in Apache Commons > Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue > https://issues.apache.org/jira/browse/MYFACES-4032 relating to another > security issue (CVE-2014-0114) but was found *not* vulnerable. > As for the current vulnerability, 1.9.2 had added a special BeanIntrospector > class that prevents attackers from using the class property of all java > objects to access the class loader. However, _this behavior was not set as > the default_ (1). > It does not appear that MyFaces is vulnerable to this new vulnerability since > there are only a few non-vulnerable startup uses of Apache Commons Beanutils > in the MyFaces code: > impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java > BeanUtils.setProperty(converter, property.getPropertyName(), > property.getDefaultValue()) > impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java > if (PropertyUtils.isReadable(bean, property.getPropertyName())) > if (PropertyUtils.isReadable(bean, property.getPropertyName())) > However, I hope you may still upgrade MyFaces to use the latest update of > Apache Commons Beanutil, version 1.9.4. > I’ve added patches for 2.2.x, 2.3.x, master. All three have build > successfully when I tested the update. > 1. > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3E] > 2. [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086] > -- This message was sent by Atlassian Jira (v8.3.4#803005)