[ https://issues.apache.org/jira/browse/VELTOOLS-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mark Symons updated VELTOOLS-170: --------------------------------- Summary: Upgrade beanutils to 1.9.2 & supress access to class and Class (was: Upgrade beanutils to 1.9.2) > Upgrade beanutils to 1.9.2 & supress access to class and Class > -------------------------------------------------------------- > > Key: VELTOOLS-170 > URL: https://issues.apache.org/jira/browse/VELTOOLS-170 > Project: Velocity Tools > Issue Type: Bug > Components: Build > Affects Versions: 2.0 > Reporter: Mark Symons > Priority: Critical > > Update dependency on commons-beanutils:commons-beanutils to v1.9.2 and > mitigate CVE-2014-0114. See BEANUTILS-463 for fix info. > Velocity Tools v2.0 currently uses bean-utils v1.7.0 > Whilst the CVE text references beanutils v1.8.0, Black Duck Hub threat > analysis have updated affected versions to include 1.7.0. > {quote} > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar > in Apache Struts 1.x through 1.3.10 and in other products requiring > commons-beanutils through 1.9.2, does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute arbitrary > code via the class parameter, as demonstrated by the passing of this > parameter to the getClass method of the ActionForm object in Struts 1. > {quote} > h5.CVSS Version 2 Metrics: > Access Vector: Network exploitable > Access Complexity: Low > Authentication: Not required to exploit > Impact Type: > * Allows unauthorized disclosure of information > * Allows unauthorized modification > * Allows disruption of service > h3.Edit: 28th November 2016 > Sonatype Nexus IQ identifies beanutils as a threat as of v1.24 (late November > 2016). From the vulnerability information provided (and highlighting in red > the bit that applies to Velocity Tools): > {quote} > h4.Explanation > Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can > lead to Remote Code Execution (RCE). Access to the {{class}} and {{Class}} > properties is not suppressed, exposing them by default. An attacker can > construct malicious input using the {{class property}} in order to manipulate > the {{ClassLoader}} potentially leading to arbitrary code execution. > h4.Detection > {color:red}If you are the calling application, you are vulnerable by running > this component without filtering the property names {{class}} and > {{Class}}{color}. If this is a transitive dependency, you will want to > contact the parent project to ensure they have added a mitigating control. > Note: If you are using the built-in implementation of > {{SuppressPropertiesBeanIntrospector}} added in version 1.9.2 of > {{commons-beanutils}} as your mitigation you are still vulnerable. Although > the built-in implementation specifically suppresses the {{class}} properly, > it does not also suppress {{Class}}. > h4.Recommendation > Although commons-beanutils offers a built-in implementation of > SuppressPropertiesBeanIntrospector in version 1.9.2 that specifically > suppresses the “class” properly, it does not also suppress “Class”. Due to > this insufficient fix which is also not enabled by default, we recommend > implementing your own custom mitigating control such as the one found here - > https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org