Bug 1703469 (CVE-2019-10174)
Summary: | CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, bmcclain, brian.stansberry, cdewolf, chazlett, csutherl, darran.lofthouse, dbecker, dosoudil, drieden, dsquirre, etirelli, fgavrilo, ggaughan, gvarsami, ibek, iweiss, janstey, jawilson, jbalunas, jcoleman, jjoyce, jochrist, jolee, jondruse, jpadman, jpallich, jperkins, jschatte, jschluet, jshaughn, jshepherd, jstastny, kbasil, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, lhh, loleary, lpeer, lthon, mburns, mkolesni, mnovotny, msiddiqu, msochure, msvehla, mszynkie, nwallace, odubaj, paradhya, pdrozd, pgallagh, pgier, pmackay, ppalaga, pslavice, psotirop, puntogil, pzapataf, rguimara, ricardo.arguello, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sclewis, scohen, sdaley, security-response-team, skitt, slinaber, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, trogers, tsegismo, twalsh, vhalbert, vtunka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Infinispan 10.0.0.Final, Infinispan 9.4.17.Final, Infinispan 8.2.12.Final | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-18 18:51:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1723346, 1723347, 1723348, 1732369, 1773842 | ||
Bug Blocks: | 1642900 |
Description
Laura Pardo
2019-04-26 14:17:51 UTC
Statement: Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed. This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. what product version of Infinispan includes this fix? This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Vert.x 3.8.3 Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10174 Created infinispan tracking bugs for this issue: Affects: fedora-all [bug 1773842] Mitigation: There is no known mitigation for this issue. This issue has been addressed in the following products: Red Hat Fuse 6.3 Via RHSA-2020:0481 https://access.redhat.com/errata/RHSA-2020:0481 This issue has been addressed in the following products: Red Hat Data Grid 7.3.3 Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727 This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2062 https://access.redhat.com/errata/RHSA-2020:2062 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:2063 https://access.redhat.com/errata/RHSA-2020:2063 This issue has been addressed in the following products: Red Hat Single Sign On 7.3 Via RHSA-2020:2113 https://access.redhat.com/errata/RHSA-2020:2113 This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333 |