[
https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram resolved ARTEMIS-1483.
-------------------------------------
Resolution: Fixed
> Upgrade beanutils
> -----------------
>
> Key: ARTEMIS-1483
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1483
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.3.0
> Reporter: Mike Hearn
> Assignee: Justin Bertram
> Fix For: 2.4.0
>
>
> In ARTEMIS-309 the version of Apache Commons Collections was upgraded to
> 3.2.2 however, this fix was not sufficient because ACC is also pulled in via
> Apache BeanUtils. This is a potential problem because it is enough for the
> bad library to anywhere on the classpath, so whether Artemis is vulnerable or
> not may depend on the vagaries of classpath ordering (if both versions
> somehow end up in the distribution by mistake).
> BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the
> CVE. If Artemis upgrades to BeanUtils 1.9.3 the problem is resolved.
> We noticed this in our project using the OWASP Dependency Scanner:
> https://www.owasp.org/index.php/OWASP_Dependency_Check
> It'd be a great thing for you guys to start using this wonderful plugin too.
> The reports it generates are excellent.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
