Bug 1146657 (CVE-2019-10086)

Summary: VUL-0: CVE-2019-10086: apache-commons-beanutils: In 1.9.2, a BeanIntrospector class was added to thwart CVE-2014-0224 but is not used by default
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: pmonrealgonzalez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/240417/
Whiteboard: CVSSv3:SUSE:CVE-2019-10086:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: upstream patch
Backported patch for SLE-15 and SLE-12

Description Wolfgang Frisch 2019-08-21 12:43:12 UTC 
CVE-2019-10086

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added
which allows suppressing the ability for an attacker to access the classloader
via the class property available on all Java objects. We, however were not using
this by default characteristic of the PropertyUtilsBean.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10086
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10086.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e
Comment 1 Wolfgang Frisch 2019-08-21 12:45:19 UTC 
Versions affected: commons-beanutils-1.9.3 and earlier

Affected SUSE products:
SUSE:SLE-12:Update apache-commons-beanutils 1.9.2-1.149 
SUSE:SLE-15:Update apache-commons-beanutils 1.9.2-2.46 

Please apply the supplied patch or upgrade to version 1.9.4.
Comment 2 Wolfgang Frisch 2019-08-21 12:45:39 UTC 
Created attachment 815030 [details]
upstream patch
Comment 3 Pedro Monreal Gonzalez 2019-08-21 15:09:25 UTC 
Created attachment 815070 [details]
Backported patch for SLE-15 and SLE-12
Comment 4 Pedro Monreal Gonzalez 2019-08-21 15:12:34 UTC 
Updated to 1.9.4 in Factory:
https://build.opensuse.org/request/show/725107
Comment 5 Pedro Monreal Gonzalez 2019-08-21 15:16:23 UTC 
Submitted to SLE-15 and SLE-12:
https://build.suse.de/request/show/199378
https://build.suse.de/request/show/199379
Comment 7 Swamp Workflow Management 2019-08-28 19:13:28 UTC 
SUSE-SU-2019:2244-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1146657
CVE References: CVE-2019-10086
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    apache-commons-beanutils-1.9.2-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-08-28 19:15:55 UTC 
SUSE-SU-2019:2245-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1146657
CVE References: CVE-2019-10086
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    apache-commons-beanutils-1.9.2-4.3.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    apache-commons-beanutils-1.9.2-4.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    apache-commons-beanutils-1.9.2-4.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    apache-commons-beanutils-1.9.2-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-09-02 22:12:28 UTC 
openSUSE-SU-2019:2058-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1146657
CVE References: CVE-2019-10086
Sources used:
openSUSE Leap 15.1 (src):    apache-commons-beanutils-1.9.2-lp151.3.3.1
openSUSE Leap 15.0 (src):    apache-commons-beanutils-1.9.2-lp150.2.3.1
Comment 10 Marcus Meissner 2019-09-04 06:05:48 UTC 
released