885963 – (CVE-2014-3540) VUL-0: CVE-2014-3540: jakarta-commons-beanutils: 'class' property is exposed, potentially leading to RCE

Bug 885963 (CVE-2014-3540) - VUL-0: CVE-2014-3540: jakarta-commons-beanutils: 'class' property is exposed, potentially leading to RCE

Summary: VUL-0: CVE-2014-3540: jakarta-commons-beanutils: 'class' property is exposed,...

Status:	RESOLVED UPSTREAM

Alias:	CVE-2014-3540

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2014-07-16
Assignee:	E-mail List
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/103344/
Whiteboard:	maint:running:58209:important
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-07-07 07:40 UTC by Victor Pereira
Modified:	2020-05-12 17:42 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-07-07 07:40:59 UTC

CVE-2014-3540

It was found that commons-beanutils exposes the class property by default, with no mechanism to disable access to it. If a framework built on commons-beanutils does not otherwise suppress access to the class property, then a remote attacker could use this flaw to manipulate the ClassLoader used by the underlying container. This could lead to remote code execution under certain conditions.

This flaw was the root cause of CVE-2014-0114, a flaw in Apache Struts 1 that could lead to unauthenticated remote code execution under certains conditions. 


References:
http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1116665
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3540

Comment 4 Bernhard Wiedemann 2014-07-08 12:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (885963) was mentioned in
https://build.opensuse.org/request/show/239880 Factory / apache-commons-beanutils

Comment 5 Swamp Workflow Management 2014-07-09 10:36:56 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-07-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58209

Comment 6 SMASH SMASH 2014-07-09 10:40:13 UTC

Affected packages:

SLE-11-SP3: jakarta-commons-beanutils

Comment 7 Ruediger Oertel 2014-07-30 13:11:23 UTC

ping

Comment 9 Marcus Meissner 2014-08-01 11:20:48 UTC

From DUncan:

The fix is not a fix, but a new API applications CAN use to write more secure
applications.

BeanUtils 1.9 introduced the possibility to customize bean introspection. With
the update they provide a custom bean introspector which ignores the class
property. In order to make it active, it has to be registered explicitly at a
BeanUtilsBean instance or the central BeanUtils object.

The 1.7 shipped with SLE-11 is a different package name, and does not have this
feature introduced in 1.9.

Also, there is no reason to fix it. Applications should implement the security
themselves. Or use the facilities in 1.9.