[jira] [Updated] (MSHARED-961) Upgrade BeanShell to 2.0b6

Sun, 18 Oct 2020 03:44:57 -0700 


     [ 
https://issues.apache.org/jira/browse/MSHARED-961?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Elliotte Rusty Harold updated MSHARED-961:
------------------------------------------
    Summary: Upgrade BeanShell to 2.0b6  (was: Upgrde BeanShell to 2.0b6)

> Upgrade BeanShell to 2.0b6
> --------------------------
>
>                 Key: MSHARED-961
>                 URL: https://issues.apache.org/jira/browse/MSHARED-961
>             Project: Maven Shared Components
>          Issue Type: Dependency upgrade
>          Components: maven-script-interpreter
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: maven-script-interpreter-1.3
>
>
> Update to latest available Beanshel version 2.0b6
> [https://github.com/beanshell/beanshell/releases/tag/2.0b6]
> BeanShell 2.0b6 is a security update that is functionally equivalent to the 
> previous version 2.0b5.
> No other functionality has changed since 2.0b5, but this is a *recommended 
> update* for all BeanShell users, as it fixes a remote code execution 
> vulnerability.
> h2. Security fix (CVE-2016-2510)
> This release fixes a remote code execution vulnerability that was identified 
> in BeanShell by [Alvaro Muñoz|https://twitter.com/pwntester] and [Christian 
> Schneider|https://twitter.com/cschneider4711]. The BeanShell team would like 
> to thank them for their help and contributions to this fix!
> An application that includes BeanShell on the classpath may be vulnerable if 
> another part of the application uses [Java 
> serialization|https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html]
>  or [XStream|http://x-stream.github.io/] to deserialize data from an 
> untrusted source.
> A vulnerable application could be exploited for remote code execution, 
> including executing arbitrary shell commands.
> This update fixes the vulnerability in BeanShell, but it is worth noting that 
> applications doing such deserialization might still be insecure through other 
> libraries. It is recommended that application developers take further 
> measures such as using a restricted class loader when deserializing. See 
> notes on [Java serialization 
> security|http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8], 
> [XStream security|http://x-stream.github.io/security.html] and [How to secure 
> deserialization from untrusted input without using encryption or 
> sealing|http://www.ibm.com/developerworks/library/se-lookahead/].
> A [MITRE CVE number|http://cve.mitre.org/cve/] has been reserved: 
> [CVE-2016-2510|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2510]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to