[Updated] (MSHARED-961) Upgrade BeanShell to 2.0b6

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Updated] (MSHARED-961) Upgrade BeanShell to 2.0b6

Martin Kanters (Jira)

     [ https://issues.apache.org/jira/browse/MSHARED-961?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Elliotte Rusty Harold updated MSHARED-961:
    Summary: Upgrade BeanShell to 2.0b6  (was: Upgrde BeanShell to 2.0b6)

> Upgrade BeanShell to 2.0b6
> --------------------------
>                 Key: MSHARED-961
>                 URL: https://issues.apache.org/jira/browse/MSHARED-961
>             Project: Maven Shared Components
>          Issue Type: Dependency upgrade
>          Components: maven-script-interpreter
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: maven-script-interpreter-1.3
> Update to latest available Beanshel version 2.0b6
> [https://github.com/beanshell/beanshell/releases/tag/2.0b6]
> BeanShell 2.0b6 is a security update that is functionally equivalent to the previous version 2.0b5.
> No other functionality has changed since 2.0b5, but this is a *recommended update* for all BeanShell users, as it fixes a remote code execution vulnerability.
> h2. Security fix (CVE-2016-2510)
> This release fixes a remote code execution vulnerability that was identified in BeanShell by [Alvaro Muñoz|https://twitter.com/pwntester] and [Christian Schneider|https://twitter.com/cschneider4711]. The BeanShell team would like to thank them for their help and contributions to this fix!
> An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses [Java serialization|https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html] or [XStream|http://x-stream.github.io/] to deserialize data from an untrusted source.
> A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.
> This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on [Java serialization security|http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8], [XStream security|http://x-stream.github.io/security.html] and [How to secure deserialization from untrusted input without using encryption or sealing|http://www.ibm.com/developerworks/library/se-lookahead/].
> A [MITRE CVE number|http://cve.mitre.org/cve/] has been reserved: [CVE-2016-2510|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2510]

This message was sent by Atlassian Jira