Bug 1703469 (CVE-2019-10174) - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
Summary: CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10174
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1723346 1723347 1723348 1732369 1773842
Blocks: 1642900
TreeView+ depends on / blocked
 
Reported: 2019-04-26 14:17 UTC by Laura Pardo
Modified: 2023-09-07 19:57 UTC (History)
101 users (show)

Fixed In Version: Infinispan 10.0.0.Final, Infinispan 9.4.17.Final, Infinispan 8.2.12.Final
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
Clone Of:
Environment:
Last Closed: 2019-11-18 18:51:12 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3901 0 None None None 2019-11-18 14:41:01 UTC
Red Hat Product Errata RHSA-2020:0481 0 None None None 2020-02-12 15:26:55 UTC
Red Hat Product Errata RHSA-2020:0727 0 None None None 2020-03-05 12:53:56 UTC
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:47:36 UTC
Red Hat Product Errata RHSA-2020:2062 0 None None None 2020-05-11 20:20:29 UTC
Red Hat Product Errata RHSA-2020:2063 0 None None None 2020-05-11 20:33:08 UTC
Red Hat Product Errata RHSA-2020:2113 0 None None None 2020-05-12 17:17:45 UTC
Red Hat Product Errata RHSA-2020:2333 0 None None None 2020-05-28 15:58:50 UTC

Description Laura Pardo 2019-04-26 14:17:51 UTC
A vulnerability was found in Infinispan before version 10.0.0 Final. The invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges.

Comment 3 Joshua Padman 2019-05-09 03:30:35 UTC
Statement:

Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.

Comment 4 Joshua Padman 2019-05-15 23:05:10 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 8 Marek Novotny 2019-06-24 11:46:30 UTC
what product version of Infinispan includes this fix?

Comment 20 errata-xmlrpc 2019-11-18 14:40:58 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes Vert.x 3.8.3

Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901

Comment 21 Product Security DevOps Team 2019-11-18 18:51:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10174

Comment 22 Kunjan Rathod 2019-11-19 05:03:44 UTC
Created infinispan tracking bugs for this issue:

Affects: fedora-all [bug 1773842]

Comment 29 Chess Hazlett 2020-02-12 05:01:33 UTC
Mitigation:

There is no known mitigation for this issue.

Comment 30 errata-xmlrpc 2020-02-12 15:26:50 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2020:0481 https://access.redhat.com/errata/RHSA-2020:0481

Comment 32 errata-xmlrpc 2020-03-05 12:53:52 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.3

Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727

Comment 34 errata-xmlrpc 2020-03-26 15:47:30 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983

Comment 37 errata-xmlrpc 2020-05-11 20:20:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2062 https://access.redhat.com/errata/RHSA-2020:2062

Comment 38 errata-xmlrpc 2020-05-11 20:33:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:2063 https://access.redhat.com/errata/RHSA-2020:2063

Comment 39 errata-xmlrpc 2020-05-12 17:17:40 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3

Via RHSA-2020:2113 https://access.redhat.com/errata/RHSA-2020:2113

Comment 40 errata-xmlrpc 2020-05-28 15:58:45 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333


Note You need to log in before you can comment on or make changes to this bug.