Discussion:
[beanutils]
Grimmett, Tim@FTB
2018-08-23 22:35:39 UTC
Permalink
Any Idea why the following vulnerability has not been updated to reflect what version the fix was in?
Looks like in "BEANUTILS-463" Apache says it was fixed in 1.9.2, but the CVE on the National Vulnerability Database (NVD) does not reflect that.
https://issues.apache.org/jira/browse/BEANUTILS-463


commons-beanutils : 1.9.2
CVE-2014-0114<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114>, commons-beanutils through 1.9.2 does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the get Class method.

Just wondering,

Tim Grimmett
Information Security Oversight Unit (ISOU)-AppSec Team
Privacy, Security and Disclosure Bureau (PSDB)
Franchise Tax Board
(916) 845-4537

Secure coding is about increasing the complexity
demanded for an attack to succeed.

______________________________________________________________________
CONFIDENTIALITY NOTICE: This email from the State of California is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review or use, including disclosure or distribution, is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of this email.
Greg Thomas
2018-08-26 14:54:41 UTC
Permalink
At a guess (I don't know), it's because by default commons-beanutils
behaviour is unchanged. It's necessary to use a custom inspector that
ignores the class property - i.e. it's necessary for callers of the library
to do the right thing.

Greg
Post by Grimmett, ***@FTB
Any Idea why the following vulnerability has not been updated to reflect
what version the fix was in?
Looks like in "BEANUTILS-463" Apache says it was fixed in 1.9.2, but the
CVE on the National Vulnerability Database (NVD) does not reflect that.
https://issues.apache.org/jira/browse/BEANUTILS-463
commons-beanutils : 1.9.2
CVE-2014-0114<
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114>,
commons-beanutils through 1.9.2 does not suppress the class property, which
allows remote attackers to "manipulate" the ClassLoader and execute
arbitrary code via the class parameter, as demonstrated by the passing of
this parameter to the get Class method.
Just wondering,
Tim Grimmett
Information Security Oversight Unit (ISOU)-AppSec Team
Privacy, Security and Disclosure Bureau (PSDB)
Franchise Tax Board
(916) 845-4537
Secure coding is about increasing the complexity
demanded for an attack to succeed.
______________________________________________________________________
CONFIDENTIALITY NOTICE: This email from the State of California is for the
sole use of the intended recipient and may contain confidential and
privileged information. Any unauthorized review or use, including
disclosure or distribution, is prohibited. If you are not the intended
recipient, please contact the sender and destroy all copies of this email.
Loading...