Bug 1703469 (CVE-2019-10174) - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
Summary: CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10174
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1723347 1723348 1732369 1723346 1773842
Blocks: 1642900
TreeView+ depends on / blocked
 
Reported: 2019-04-26 14:17 UTC by Laura Pardo
Modified: 2019-12-12 02:22 UTC (History)
99 users (show)

Fixed In Version: Infinispan 10.0.0.Final, Infinispan 9.4.17.Final
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
Clone Of:
Environment:
Last Closed: 2019-11-18 18:51:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3901 None None None 2019-11-18 14:41:01 UTC

Description Laura Pardo 2019-04-26 14:17:51 UTC
A vulnerability was found in Infinispan before version 10.0.0 Final. The invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges.

Comment 3 Joshua Padman 2019-05-09 03:30:35 UTC
Statement:

Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.

Comment 4 Joshua Padman 2019-05-15 23:05:10 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 8 Marek Novotny 2019-06-24 11:46:30 UTC
what product version of Infinispan includes this fix?

Comment 20 errata-xmlrpc 2019-11-18 14:40:58 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes Vert.x 3.8.3

Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901

Comment 21 Product Security DevOps Team 2019-11-18 18:51:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10174

Comment 22 Kunjan Rathod 2019-11-19 05:03:44 UTC
Created infinispan tracking bugs for this issue:

Affects: fedora-all [bug 1773842]


Note You need to log in before you can comment on or make changes to this bug.