Bug 1146657 - (CVE-2019-10086) VUL-0: CVE-2019-10086: apache-commons-beanutils: In 1.9.2, a BeanIntrospector class was added to thwart CVE-2014-0224 but is not used by default
(CVE-2019-10086)
VUL-0: CVE-2019-10086: apache-commons-beanutils: In 1.9.2, a BeanIntrospector...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/240417/
CVSSv3:SUSE:CVE-2019-10086:7.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-21 12:43 UTC by Wolfgang Frisch
Modified: 2019-12-18 15:25 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream patch (5.68 KB, patch)
2019-08-21 12:45 UTC, Wolfgang Frisch
Details | Diff
Backported patch for SLE-15 and SLE-12 (5.87 KB, patch)
2019-08-21 15:09 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-08-21 12:43:12 UTC
CVE-2019-10086

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added
which allows suppressing the ability for an attacker to access the classloader
via the class property available on all Java objects. We, however were not using
this by default characteristic of the PropertyUtilsBean.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10086
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10086.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e
Comment 1 Wolfgang Frisch 2019-08-21 12:45:19 UTC
Versions affected: commons-beanutils-1.9.3 and earlier

Affected SUSE products:
SUSE:SLE-12:Update apache-commons-beanutils 1.9.2-1.149 
SUSE:SLE-15:Update apache-commons-beanutils 1.9.2-2.46 

Please apply the supplied patch or upgrade to version 1.9.4.
Comment 2 Wolfgang Frisch 2019-08-21 12:45:39 UTC
Created attachment 815030 [details]
upstream patch
Comment 3 Pedro Monreal Gonzalez 2019-08-21 15:09:25 UTC
Created attachment 815070 [details]
Backported patch for SLE-15 and SLE-12
Comment 4 Pedro Monreal Gonzalez 2019-08-21 15:12:34 UTC
Updated to 1.9.4 in Factory:
https://build.opensuse.org/request/show/725107
Comment 5 Pedro Monreal Gonzalez 2019-08-21 15:16:23 UTC
Submitted to SLE-15 and SLE-12:
https://build.suse.de/request/show/199378
https://build.suse.de/request/show/199379
Comment 7 Swamp Workflow Management 2019-08-28 19:13:28 UTC
SUSE-SU-2019:2244-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1146657
CVE References: CVE-2019-10086
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    apache-commons-beanutils-1.9.2-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-08-28 19:15:55 UTC
SUSE-SU-2019:2245-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1146657
CVE References: CVE-2019-10086
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    apache-commons-beanutils-1.9.2-4.3.1
SUSE Linux Enterprise Module for Web Scripting 15 (src):    apache-commons-beanutils-1.9.2-4.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    apache-commons-beanutils-1.9.2-4.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    apache-commons-beanutils-1.9.2-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-09-02 22:12:28 UTC
openSUSE-SU-2019:2058-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1146657
CVE References: CVE-2019-10086
Sources used:
openSUSE Leap 15.1 (src):    apache-commons-beanutils-1.9.2-lp151.3.3.1
openSUSE Leap 15.0 (src):    apache-commons-beanutils-1.9.2-lp150.2.3.1
Comment 10 Marcus Meissner 2019-09-04 06:05:48 UTC
released