CVE-2014-0114: Vulnerability in Beanutils

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CVE-2014-0114: Vulnerability in Beanutils

This post has NOT been accepted by the mailing list yet.

I have a question regarding com.sun.commons:beanutils:1.6.1-20070314 which is used transitively in org.glassfish.metro:webservices-extra:2.3.1. I assume that these beanutils are the same as the Apache commons beanutils version 1.6.1.

By now the apache commons beanutils are at version 1.9.2. Older versions suffer from the CVE-2014-0114 vulnerability, which is quite severe (CVSS v2 Base Score: 7.5 HIGH).

* Are you planning to update this outdated library?
* It is unclear whether the vulnerability is present this very old version (1.6.1), but this library being older than the vulnerable ones is not very comforting either.
* Is it possible to rule out that this vulnerability might be present when using Metro?

Thanks and best regards,