GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jul 20, 2016 10:26 am Post subject: [ GLSA 201607-09 ] Commons-BeanUtils |
|
|
Gentoo Linux Security Advisory
Title: Commons-BeanUtils: Arbitrary code execution (GLSA 201607-09)
Severity: normal
Exploitable: remote
Date: July 20, 2016
Bug(s): #534498
ID: 201607-09
Synopsis
Apache Commons BeanUtils does not properly suppress the class
property, which could lead to the remote execution of arbitrary code.
Background
Commons-beanutils provides easy-to-use wrappers around Reflection and
Introspection APIs
Affected Packages
Package: dev-java/commons-beanutils
Vulnerable: < 1.9.2
Unaffected: >= 1.9.2
Architectures: All supported architectures
Description
Apache Commons BeanUtils does not suppress the class property, which
allows for the manipulation of the ClassLoader.
Impact
Remote attackers could potentially execute arbitrary code with the
privileges of the process.
Workaround
There is no known workaround at this time.
Resolution
All Commons BeanUtils users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose
">=dev-java/commons-beanutils-1.9.2"
|
References
CVE-2014-0114 |
|