Bugzilla – Bug 1146657
VUL-0: CVE-2019-10086: apache-commons-beanutils: In 1.9.2, a BeanIntrospector class was added to thwart CVE-2014-0224 but is not used by default
Last modified: 2019-12-18 15:25:06 UTC
CVE-2019-10086 In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10086 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10086.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086 http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e
Versions affected: commons-beanutils-1.9.3 and earlier Affected SUSE products: SUSE:SLE-12:Update apache-commons-beanutils 1.9.2-1.149 SUSE:SLE-15:Update apache-commons-beanutils 1.9.2-2.46 Please apply the supplied patch or upgrade to version 1.9.4.
Created attachment 815030 [details] upstream patch
Created attachment 815070 [details] Backported patch for SLE-15 and SLE-12
Updated to 1.9.4 in Factory: https://build.opensuse.org/request/show/725107
Submitted to SLE-15 and SLE-12: https://build.suse.de/request/show/199378 https://build.suse.de/request/show/199379
SUSE-SU-2019:2244-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1146657 CVE References: CVE-2019-10086 Sources used: SUSE Linux Enterprise Server 12-SP4 (src): apache-commons-beanutils-1.9.2-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2245-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1146657 CVE References: CVE-2019-10086 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): apache-commons-beanutils-1.9.2-4.3.1 SUSE Linux Enterprise Module for Web Scripting 15 (src): apache-commons-beanutils-1.9.2-4.3.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): apache-commons-beanutils-1.9.2-4.3.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): apache-commons-beanutils-1.9.2-4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2058-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1146657 CVE References: CVE-2019-10086 Sources used: openSUSE Leap 15.1 (src): apache-commons-beanutils-1.9.2-lp151.3.3.1 openSUSE Leap 15.0 (src): apache-commons-beanutils-1.9.2-lp150.2.3.1
released