Commons-BeanUtils: Arbitrary code execution

2016-07-20T00:00:00
ID GLSA-201607-09
Type gentoo
Reporter Gentoo Foundation
Modified 2016-07-20T00:00:00

Description

Background

Commons-beanutils provides easy-to-use wrappers around Reflection and Introspection APIs

Description

Apache Commons BeanUtils does not suppress the class property, which allows for the manipulation of the ClassLoader.

Impact

Remote attackers could potentially execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Commons BeanUtils users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=dev-java/commons-beanutils-1.9.2"