Commons-BeanUtils: Arbitrary code execution — GLSA 201607-09

Apache Commons BeanUtils does not properly suppress the class property, which could lead to the remote execution of arbitrary code.

Affected Packages

dev-java/commons-beanutils on all architectures
Affected versions < 1.9.2
Unaffected versions >= 1.9.2

Background

Commons-beanutils provides easy-to-use wrappers around Reflection and Introspection APIs

Description

Apache Commons BeanUtils does not suppress the class property, which allows for the manipulation of the ClassLoader.

Impact

Remote attackers could potentially execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Commons BeanUtils users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=dev-java/commons-beanutils-1.9.2"
 

References

Release Date
July 20, 2016

Latest Revision
July 20, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries