[beanutils]

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[beanutils]

Grimmett, Tim@FTB
Any Idea why the following vulnerability has not been updated to reflect what version the fix was in?
Looks like in "BEANUTILS-463" Apache says it was fixed in 1.9.2, but the CVE on the National Vulnerability Database (NVD) does not reflect that.
https://issues.apache.org/jira/browse/BEANUTILS-463


commons-beanutils : 1.9.2
CVE-2014-0114<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114>, commons-beanutils through 1.9.2 does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the get Class method.

Just wondering,

Tim Grimmett
Information Security Oversight Unit (ISOU)-AppSec Team
Privacy, Security and Disclosure Bureau (PSDB)
Franchise Tax Board
(916) 845-4537

Secure coding is about increasing the complexity
demanded for an attack to succeed.

______________________________________________________________________
CONFIDENTIALITY NOTICE: This email from the State of California is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review or use, including disclosure or distribution, is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of this email.
Reply | Threaded
Open this post in threaded view
|

Re: [beanutils]

Greg Thomas
At a guess (I don't know), it's because by default commons-beanutils
behaviour is unchanged. It's necessary to use a custom inspector that
ignores the class property - i.e. it's necessary for callers of the library
to do the right thing.

Greg

On Fri, 24 Aug 2018 at 01:11, Grimmett, Tim@FTB <[hidden email]>
wrote:

> Any Idea why the following vulnerability has not been updated to reflect
> what version the fix was in?
> Looks like in "BEANUTILS-463" Apache says it was fixed in 1.9.2, but the
> CVE on the National Vulnerability Database (NVD) does not reflect that.
> https://issues.apache.org/jira/browse/BEANUTILS-463
>
>
> commons-beanutils : 1.9.2
> CVE-2014-0114<
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114>,
> commons-beanutils through 1.9.2 does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute
> arbitrary code via the class parameter, as demonstrated by the passing of
> this parameter to the get Class method.
>
> Just wondering,
>
> Tim Grimmett
> Information Security Oversight Unit (ISOU)-AppSec Team
> Privacy, Security and Disclosure Bureau (PSDB)
> Franchise Tax Board
> (916) 845-4537
>
> Secure coding is about increasing the complexity
> demanded for an attack to succeed.
>
> ______________________________________________________________________
> CONFIDENTIALITY NOTICE: This email from the State of California is for the
> sole use of the intended recipient and may contain confidential and
> privileged information. Any unauthorized review or use, including
> disclosure or distribution, is prohibited. If you are not the intended
> recipient, please contact the sender and destroy all copies of this email.
>