Bug 1703469 (CVE-2019-10174)

Summary: CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, bmcclain, brian.stansberry, cdewolf, chazlett, csutherl, darran.lofthouse, dbecker, dosoudil, drieden, dsquirre, etirelli, fgavrilo, ggaughan, gvarsami, ibek, iweiss, janstey, jawilson, jbalunas, jcoleman, jjoyce, jochrist, jolee, jondruse, jpadman, jpallich, jperkins, jschatte, jschluet, jshaughn, jshepherd, jstastny, kbasil, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, lhh, loleary, lpeer, lthon, mburns, mkolesni, mnovotny, msiddiqu, msochure, msvehla, mszynkie, nwallace, odubaj, paradhya, pdrozd, pgallagh, pgier, pmackay, ppalaga, pslavice, psotirop, puntogil, pzapataf, rguimara, ricardo.arguello, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sclewis, scohen, sdaley, security-response-team, skitt, slinaber, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, trogers, tsegismo, twalsh, vhalbert, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Infinispan 10.0.0.Final, Infinispan 9.4.17.Final, Infinispan 8.2.12.Final Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-18 18:51:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1723346, 1723347, 1723348, 1732369, 1773842    
Bug Blocks: 1642900    

Description Laura Pardo 2019-04-26 14:17:51 UTC 
A vulnerability was found in Infinispan before version 10.0.0 Final. The invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges.
Comment 3 Joshua Padman 2019-05-09 03:30:35 UTC 
Statement:

Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.
Comment 4 Joshua Padman 2019-05-15 23:05:10 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 8 Marek Novotny 2019-06-24 11:46:30 UTC 
what product version of Infinispan includes this fix?
Comment 20 errata-xmlrpc 2019-11-18 14:40:58 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes Vert.x 3.8.3

Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901
Comment 21 Product Security DevOps Team 2019-11-18 18:51:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10174
Comment 22 Kunjan Rathod 2019-11-19 05:03:44 UTC 
Created infinispan tracking bugs for this issue:

Affects: fedora-all [bug 1773842]
Comment 29 Chess Hazlett 2020-02-12 05:01:33 UTC 
Mitigation:

There is no known mitigation for this issue.
Comment 30 errata-xmlrpc 2020-02-12 15:26:50 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2020:0481 https://access.redhat.com/errata/RHSA-2020:0481
Comment 32 errata-xmlrpc 2020-03-05 12:53:52 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.3

Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727
Comment 34 errata-xmlrpc 2020-03-26 15:47:30 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Comment 37 errata-xmlrpc 2020-05-11 20:20:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2062 https://access.redhat.com/errata/RHSA-2020:2062
Comment 38 errata-xmlrpc 2020-05-11 20:33:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:2063 https://access.redhat.com/errata/RHSA-2020:2063
Comment 39 errata-xmlrpc 2020-05-12 17:17:40 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3

Via RHSA-2020:2113 https://access.redhat.com/errata/RHSA-2020:2113
Comment 40 errata-xmlrpc 2020-05-28 15:58:45 UTC 
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333