A vulnerability was found in Infinispan before version 10.0.0 Final. The invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges.
Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
what product version of Infinispan includes this fix?
This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes Vert.x 3.8.3
Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Created infinispan tracking bugs for this issue:
Affects: fedora-all [bug 1773842]