[site] Add security page section for CVE-2022-42920

garydgregory · garydgregory · commit d8d4ae1f6eb2 · 2026-01-12T16:05:57.000-05:00
Fixed back in 6.6.0 (2022-10-08)
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
@@ -1,24 +1,10 @@
 <?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements.  See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership.  The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License.  You may obtain a copy of the License at
-
-   https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied.  See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<document xmlns="http://maven.apache.org/XDOC/2.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional 
+  information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except 
+  in compliance with the License. You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to 
+  in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See 
+  the License for the specific language governing permissions and limitations under the License. -->
+<document xmlns="http://maven.apache.org/XDOC/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 https://maven.apache.org/xsd/xdoc-2.0.xsd">
   <properties>
     <title>Apache Commons Security Reports</title>
@@ -28,24 +14,46 @@
     <section name="About Security">
       <p>
         For information about reporting or asking questions about security, please see
-        <a href="https://commons.apache.org/security.html">Apache Commons Security</a>.
+        <a href="https://commons.apache.org/security.html">Apache Commons Security</a>
+        .
       </p>
-      <p>This page lists all security vulnerabilities fixed in released versions of this component. 
+      <p>This page lists all security vulnerabilities fixed in released versions of this component.
       </p>
       <p>Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the component version
-        that you are using. 
+        that you are using.
       </p>
       <p>
         If you need help on building this component or other help on following the instructions to mitigate the known vulnerabilities listed here, please send
         your questions to the public
-        <a href="mail-lists.html">user mailing list</a>.
+        <a href="mail-lists.html">user mailing list</a>
+        .
       </p>
       <p>If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions here are
-        incomplete, please report them privately to the Apache Security Team. Thank you. 
+        incomplete, please report them privately to the Apache Security Team. Thank you.
       </p>
     </section>
     <section name="Security Vulnerabilities">
-      <p>None.</p>
+      <subsection name="CVE-2022-42920">
+        <ul>
+          <li>CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing.</li>
+          <li>Severity: Critical</li>
+          <li>CWE-ID: CWE-787</li>
+          <li>Vendor: The Apache Software Foundation</li>
+          <li>Versions Affected: Apache Commons BCEL before 6.6.0.</li>
+          <li>Description: Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an
+            out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass
+            attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache
+            Commons BCEL 6.6.0.
+          </li>
+          <li>Mitigation: Users are recommended to upgrade to version 6.6.0 or later, which fixes the issue.</li>
+          <li>Credit: Reported by Felix Wilhelm (Google)</li>
+          <li>Credit: GitHub pull request to Apache Commons BCEL #147 by Richard Atkins (https://github.com/rjatkins)</li>
+          <li>Credit: PR
+            derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and
+            RealCLanger (Christoph Langer https://github.com/RealCLanger)
+          </li>
+        </ul>
+      </subsection>
     </section>
   </body>
 </document>
