This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch 1.X
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
The following commit(s) were added to refs/heads/1.X by this push:
new f799bbeb Document release of CVE-2025-48734
f799bbeb is described below
commit f799bbeb42f1b3f6ce603c86f42740e78b6fbcf5
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Wed May 28 10:04:05 2025 -0400
Document release of CVE-2025-48734
CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not
suppresses an enum's declaredClass property by default
(https://www.cve.org/CVERecord?id=CVE-2025-48734)
---
src/changes/changes.xml | 1 +
src/site/xdoc/security.xml | 125 ++++++++++++++++++++++++++++++++++-----------
2 files changed, 97 insertions(+), 29 deletions(-)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index e0f1e8b8..b271c829 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -35,6 +35,7 @@
</release>
<release version="1.11.0" date="2025-05-25" description="This is a
maintenance release and requires Java 8.">
<!-- FIX -->
+ <action type="fix" dev="ggregory" due-to="Raj, Muthukumar Marikani, Gary
Gregory">CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not
suppresses an enum's declaredClass property by default
(https://www.cve.org/CVERecord?id=CVE-2025-48734).</action>
<action type="fix" dev="ggregory" due-to="Gary
Gregory">BeanComparator.compare(T, T) now throws IllegalArgumentException
instead of RuntimeException to wrap all cases of
ReflectiveOperationException.</action>
<action type="fix" dev="ggregory" due-to="Gary
Gregory">MappedMethodReference.get() now throws IllegalStateException instead
of RuntimeException to wrap cases of NoSuchMethodException.</action>
<action type="fix" dev="ggregory" due-to="Gary
Gregory">ResultSetIterator.get(String) now throws IllegalArgumentException
instead of RuntimeException to wrap cases of SQLException.</action>
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 34b02c75..abad0012 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -1,25 +1,11 @@
<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<document xmlns="http://maven.apache.org/XDOC/2.0";
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- xsi:schemaLocation="http://maven.apache.org/XDOC/2.0
http://maven.apache.org/xsd/xdoc-2.0.xsd";>
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with this work
for additional information regarding
+ copyright ownership. The ASF licenses this file to you under the Apache
License, Version 2.0 (the "License"); you may not use this file except in
compliance with the License. You may
+ obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed
+ on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
express or implied. See the License for the specific language governing
permissions and limitations under the
+ License. -->
+<document xmlns="http://maven.apache.org/XDOC/2.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://maven.apache.org/XDOC/2.0
https://maven.apache.org/xsd/xdoc-2.0.xsd";>
<properties>
<title>Apache Commons Security Reports</title>
<author email="d...@commons.apache.org">Apache Commons Team</author>
@@ -28,24 +14,105 @@
<section name="About Security">
<p>
For information about reporting or asking questions about security,
please see
- <a href="https://commons.apache.org/security.html";>Apache Commons
Security</a>.
+ <a href="https://commons.apache.org/security.html";>Apache Commons
Security</a>
+ .
</p>
- <p>This page lists all security vulnerabilities fixed in released
versions of this component.
+ <p>This page lists all security vulnerabilities fixed in released
versions of this component.
</p>
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the component
version
- that you are using.
+ that you are using.
</p>
<p>
If you need help on building this component or other help on following
the instructions to mitigate the known vulnerabilities listed here, please send
- your questions to the public
- <a href="mail-lists.html">user mailing list</a>.
+ your questions to the
+ public
+ <a href="mail-lists.html">user mailing list</a>
+ .
</p>
<p>If you have encountered an unlisted security vulnerability or other
unexpected behavior that has security impact, or if the descriptions here are
- incomplete, please report them privately to the Apache Security Team.
Thank you.
+ incomplete, please report
+ them privately to the Apache Security Team. Thank you.
</p>
</section>
<section name="Security Vulnerabilities">
- <p>None.</p>
+ <subsection name="CVE-2019-10086">
+ <ul>
+ <li>CVE-2019-10086: Apache Commons Beanutils does not suppresses the
class property in PropertyUtilsBean by default.</li>
+ <li>Severity: Medium</li>
+ <li>Vendor: The Apache Software Foundation</li>
+ <li>Versions Affected: commons-beanutils-1.9.3 and earlier</li>
+ <li>Description: A special BeanIntrospector class was added in
version 1.9.2.
+ This can be used to stop attackers from using the class property of
+ Java objects to get access to the classloader.
+ However this protection was not enabled by default.
+ PropertyUtilsBean (and consequently BeanUtilsBean) now disallows
class
+ level property access by default, thus protecting against
+ CVE-2014-0114.
+ </li>
+ <li>Mitigation: 1.X users should migrate to 1.9.4.</li>
+ <li>Credit: This was discovered by Melloware
(https://melloware.com/).</li>
+ </ul>
+ <p>
+ Example:
+ </p>
+<pre>
+/**
+ * Example displaying the new default behavior such that
+ * it is not possible to access class level properties utilizing the
+ * BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
+ */
+public void testSuppressClassPropertyByDefault() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+ final AlphaBean bean = new AlphaBean();
+ try {
+ bub.getProperty(bean, "class");
+ fail("Could access class property!");
+ } catch (final NoSuchMethodException ex) {
+ // ok
+ }
+}
+
+/**
+ * Example showing how by which one would use to revert to the
+ * behaviour prior to the 1.9.4 release where class level properties were
accessible by
+ * the BeanUtilsBean and the PropertyUtilsBean.
+ */
+public void testAllowAccessToClassProperty() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+
bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ final AlphaBean bean = new AlphaBean();
+ String result = bub.getProperty(bean, "class");
+ assertEquals("Class property should have been accessed", "class
org.apache.commons.beanutils2.AlphaBean", result);
+}
+</pre>
+ <p>
+ References:
+ </p>
+ <ol>
+ <li>https://issues.apache.org/jira/browse/BEANUTILS-520</li>
+ <li>http://commons.apache.org/proper/commons-beanutils/</li>
+ </ol>
+ </subsection>
+ <subsection name="CVE-2025-48734">
+ <ul>
+ <li><a
href="https://www.cve.org/CVERecord?id=CVE-2025-48734";>CVE-2025-48734</a>:
Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's
declaredClass property by default</li>
+ <li>Severity: important</li>
+ <li>Affected versions: 1.x 1.0 before 1.11.0</li>
+ <li>Affected versions: 2.x 2.0.0-M1 before 2.0.0-M2</li>
+ <li>Description: Improper Access Control vulnerability in Apache
Commons.
+ A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the declared class property of
Java enum objects to get access to the classloader. However this protection was
not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now
disallows declared class level property access by default.
+ Releases 1.11.0 and 2.0.0-M2 address a potential security issue
when accessing enum properties in an uncontrolled way. If an application using
Commons BeanUtils passes property paths from an external source directly to the
getProperty() method of PropertyUtilsBean, an attacker can access the enum’s
class loader via the “declaredClass” property available on all Java “enum”
objects. Accessing the enum’s “declaredClass” allows remote attackers to access
the ClassLoader and exe [...]
+ Starting in versions 1.11.0 and 2.0.0-M2 a special
BeanIntrospector suppresses the “declaredClass” property. Note that this new
BeanIntrospector is enabled by default, but you can disable it to regain the
old behavior; see section 2.5 of the user's guide and the unit tests.
+ This issue affects Apache Commons BeanUtils 1.x before 1.11.0,
and 2.x before 2.0.0-M2.
+ </li>
+ <li>Mitigation: Users of the artifact
commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version
1.11.0, which fixes the issue.</li>
+ <li>Mitigation: Users of the artifact
org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version
2.0.0-M2, which fixes the issue.</li>
+ <li>Credit: Raj (mailto:denesh....@zohocorp.com) (reporter)</li>
+ <li>Credit: Muthukumar Marikani
(mailto:muthukumar.marik...@zohocorp.com) (finder)</li>
+ <li>Reference: https://commons.apache.org/</li>
+ <li>Reference: <a
href="https://www.cve.org/CVERecord?id=CVE-2025-48734";>CVE-2025-48734</a></li>
+ </ul>
+ </subsection>
</section>
</body>
-</document>
\ No newline at end of file
+</document>
