Details
Minor Description
Hello,
A security vulnerability (CVE-2019-10086) was discovered in Apache Commons Beanutils 1.9.2. Previously, MyFaces had updated to 1.9.2 in this issue https://issues.apache.org/jira/browse/MYFACES-4032 relating to another security issue (CVE-2014-0114) but was found not vulnerable.
As for the current vulnerability, 1.9.2 had added a special BeanIntrospector class that prevents attackers from using the class property of all java objects to access the class loader. However, this behavior was not set as the default (1).
It does not appear that MyFaces is vulnerable to this new vulnerability since there are only a few non-vulnerable startup uses of Apache Commons Beanutils in the MyFaces code:
impl/src/main/java/org/apache/myfaces/application/ApplicationImpl.java
BeanUtils.setProperty(converter, property.getPropertyName(), property.getDefaultValue())
impl/src/main/java/org/apache/myfaces/config/ManagedBeanBuilder.java
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
if (PropertyUtils.isReadable(bean, property.getPropertyName()))
However, I hope you may still upgrade MyFaces to use the latest update of Apache Commons Beanutil, version 1.9.4.
I’ve added patches for 2.2.x, 2.3.x, master. All three have build successfully when I tested the update.
1. http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3CC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3E
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
