Skip to content

[AMBARI-23054] Upgrading commons-beanutils dependency in ambari-server to 1.9.3 #442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rlevas merged 2 commits into from
Feb 23, 2018
Merged

[AMBARI-23054] Upgrading commons-beanutils dependency in ambari-server to 1.9.3 #442

rlevas merged 2 commits into from
Feb 23, 2018

Conversation

@smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Feb 22, 2018
edited
Loading

What changes were proposed in this pull request?

Per CVE-2014-0114:

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

To avoid this in Ambari server we upgarded to 1.9.3.

How was this patch tested?

After updating the affected pom.xml files I've done the following:

1.) Checking Maven's dependency resolution:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] org.apache.ambari:ambari-server:jar:2.6.0.0.0
[INFO] \- org.apache.hadoop:hadoop-common:jar:2.7.2:compile
[INFO]    \- commons-configuration:commons-configuration:jar:1.6:compile
[INFO]       +- commons-digester:commons-digester:jar:1.8:compile
[INFO]       |  \- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO]       \- commons-beanutils:commons-beanutils-core:jar:1.8.0:compile

2.) I executed mvn clean install in utility and in ambari-server:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 40:01 min
[INFO] Finished at: 2018-02-22T17:51:54+01:00
[INFO] Final Memory: 186M/1678M
[INFO] ------------------------------------------------------------------------

3.) In addition to this; I replaced the content of usr/lib/ambari-server in my vagrant host with the content from mbari-server/target/ambari-server-2.6.0.0.0-dist/usr/lib/ambari-server (where I found commons-beanutils-1.9.3.jar) and restarted the server then logged in; there were no any issues.

@smolnar82
Copy link
Contributor Author

smolnar82 commented Feb 22, 2018

@rlevas @zeroflag @oleewere Please review this PR. Thanks!

@adoroszlai adoroszlai changed the title [AMBARI-23054] Upgaring commons-beanutils dependency in ambari-server to 1.9.3 [AMBARI-23054] Upgrading commons-beanutils dependency in ambari-server to 1.9.3 Feb 22, 2018
@adoroszlai
Copy link
Contributor

adoroszlai commented Feb 22, 2018

@smolnar82 @rlevas

Based on the description of BeanUtils modules I would think commons-beanutils-core:jar:1.8.0 should be excluded, too.

@asfgit
Copy link

asfgit commented Feb 22, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/758/
Test PASSed.

AMBARI-23054. Removing commons-beanutils-core dependency from ambari-…
febf691 
…server too since in 1.9.x there is no more JAR split within commons-beanutils
@smolnar82
Copy link
Contributor Author

smolnar82 commented Feb 23, 2018 

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-server ---
[INFO] org.apache.ambari:ambari-server:jar:2.6.0.0.0
[INFO] \- org.apache.hadoop:hadoop-common:jar:2.7.2:compile
[INFO]    \- commons-configuration:commons-configuration:jar:1.6:compile
[INFO]       \- commons-digester:commons-digester:jar:1.8:compile
[INFO]          \- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.088 s
[INFO] Finished at: 2018-02-23T07:40:42+01:00
[INFO] Final Memory: 25M/445M
[INFO] ------------------------------------------------------------------------

@asfgit
Copy link

asfgit commented Feb 23, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/772/
Test PASSed.

@smolnar82
Copy link
Contributor Author

smolnar82 commented Feb 23, 2018

@rlevas @zeroflag @oleewere Please review this PR. Thanks!

@rlevas rlevas merged commit 10583f3 into apache:branch-2.6 Feb 23, 2018
@smolnar82 smolnar82 mentioned this pull request Mar 4, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@adoroszlai adoroszlai adoroszlai approved these changes

@rlevas rlevas rlevas approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@smolnar82 @adoroszlai @asfgit @rlevas