Listen to this Post
How the CVE Works
The vulnerability stems from improper access control in Apache Commons BeanUtils (versions <1.11.0 and <2.0.0-M2). Attackers exploit the `declaredClass` property in Java enums, which grants access to the underlying ClassLoader. By manipulating external property inputs passed to `PropertyUtilsBean.getProperty()` or getNestedProperty(), an attacker can bypass default restrictions, hijack the ClassLoader, and execute arbitrary code. The fix introduces a `BeanIntrospector` to block `declaredClass` access by default, but earlier versions remain exposed.
DailyCVE Form
Platform: Apache Commons
Version: <1.11.0, <2.0.0-M2
Vulnerability: ClassLoader hijacking
Severity: Critical
Date: 2019-12-01
Prediction: Patch released (1.11.0/2.0.0-M2)
What Undercode Say:
Exploitation:
1. Payload Example:
// Malicious input triggering declaredClass String maliciousPath = "enumName.declaredClass.classLoader"; Object hijackedLoader = PropertyUtilsBean.getProperty(targetEnum, maliciousPath);
2. Exploit Chain:
- Attacker crafts input to traverse
declaredClass. - Gains `ClassLoader` control to load malicious classes.
Mitigation:
1. Upgrade:
<!-- Maven fix --> <dependency> <groupId>commons-beanutils</groupId> <artifactId>commons-beanutils</artifactId> <version>1.11.0</version> </dependency>
2. Manual Patch (Legacy Systems):
// Disable risky introspection BeanUtilsBean.getInstance().getPropertyUtils().addBeanIntrospector(new SuppressPropertiesBeanIntrospector());
3. Log Monitoring:
Audit logs for enum property access grep -r "getProperty.enum" /var/log/app_logs
Detection:
- Static Analysis:
Scan JARs for vulnerable versions find /app/libs -name "beanutils.jar" | xargs grep -l "1.[0-9]."
- Runtime Protection:
// SecurityManager policy to block ClassLoader access policy.add(new RuntimePermission("getClassLoader"), false);
References:
No further commentary.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
