Bug 1767483 (CVE-2019-10086)
| Summary: | CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, anthomas, aschwart, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, boliveir, brian.stansberry, btotty, cbuissar, cbyrne, cdewolf, chazlett, cmacedo, darran.lofthouse, dbecker, dblechte, dbruscin, decathorpe, dfediuck, dffrench, dhanak, dkreling, dosoudil, drichtar, drieden, drosa, drusso, ecerquei, eedri, eglynn, ehelms, etirelli, fjuma, fnasser, ganandan, ggainey, ggaughan, gmalinko, gvarsami, hhorak, hhudgeon, ibek, istudens, ivassile, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jcoleman, jjoyce, jkoops, jmadigan, jochrist, jolee, jorton, jpallich, jperkins, jrokos, jross, jschatte, jschluet, jshepherd, jstastny, juwatts, kbasil, kconner, krathod, kvanderr, kverlaen, kwills, ldimaggi, lgao, lhh, loleary, lpeer, lsvaty, lthon, lzap, mburns, mgarciac, mgoldboi, mhulan, michal.skrivanek, mizdebsk, mkolesni, mmccune, mnovotny, mosmerov, mperina, mposolda, msochure, msvehla, mszynkie, ngough, nmoumoul, nwallace, omajid, osousa, paradhya, pcreech, pdelbell, pdrozd, peholase, pesilva, pgallagh, pgrist, pjindal, pmackay, porcelli, pskopek, psotirop, pwright, qe-baseos-apps, rchan, rguimara, rjerrido, rkieley, rmartinc, rowaters, rrajasek, rruss, rstancel, rstepani, rsvoboda, rsynek, rwagner, sausingh, sbonazzo, sclewis, scohen, scorneli, sdaley, sgehwolf, sguilhen, sherold, skitt, slinaber, smaestri, smallamp, sokeeffe, SpikeFedora, spinder, ssilvert, stewardship-sig, sthorger, tcunning, theute, tkirby, tlestach, tom.jenkinson, trepel, twalsh, vhalbert, vmuzikar, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apache-commons-beanutils 1.9.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-12-18 20:09:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1767498, 1772495, 1772496, 1776318, 1777091, 1781294, 1781295, 1781713, 1781714, 1781715, 1781716, 1781717, 1782344, 1782459, 1782460, 1782461, 1782462, 1809370, 1809371 | ||
| Bug Blocks: | 1767578, 2014197 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-10-31 14:38:08 UTC
Created apache-commons-beanutils tracking bugs for this issue: Affects: fedora-all [bug 1767498] The page for the CVE entry [0] claims that this affects versions <= 1.9.3, so 1.9.4 does not have this issue - do I understand this correctly? If so, we can just merge the 1.9.4 update that's already in rawhide to stable fedora releases as well. [0]: https://nvd.nist.gov/vuln/detail/CVE-2019-10086 External References: https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt RHSSO 7.3.4 ships commons-beanutils-1.9.3.redhat-1.jar seems to be affected as per the description. This flaw allows attacker to manipulate the class loader properties on server and I am not sure which all properties are exposed by RHSSO so creating the tracker and leaving it to dev team to take it further. This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BPMS 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss SOA Platform 5 In reply to comment #8: > This vulnerability is out of security support scope for the following > products: > * Red Hat Enterprise Application Platform 6 > * Red Hat Enterprise Application Platform 5 > * Red Hat JBoss Operations Network 3 > * Red Hat JBoss BPMS 6 > * Red Hat JBoss BRMS 6 > * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Both RHDM 7.5.1 and RHPAM 7.5.1 ships commons-beanutils-1.9.3.redhat-1.jar which seems to be affected so marking them as affected and creating trackers for them : ./standalone/deployments/decision-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar ./standalone/deployments/business-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:4317 https://access.redhat.com/errata/RHSA-2019:4317 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10086 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0057 https://access.redhat.com/errata/RHSA-2020:0057 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0194 https://access.redhat.com/errata/RHSA-2020:0194 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2020:1308 https://access.redhat.com/errata/RHSA-2020:1308 This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 7 Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454 Mitigation: There is no currently known mitigation for this flaw. This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067 This issue has been addressed in the following products: Red Hat Data Grid 7.3.6 Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321 This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333 This issue has been addressed in the following products: Red Hat Fuse 7.6.0 on EAP async Via RHSA-2020:2619 https://access.redhat.com/errata/RHSA-2020:2619 This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2020:2740 https://access.redhat.com/errata/RHSA-2020:2740 This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247 This issue has been addressed in the following products: Red Hat Fuse 6.3 Via RHSA-2020:3587 https://access.redhat.com/errata/RHSA-2020:3587 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2024:5856 https://access.redhat.com/errata/RHSA-2024:5856 |