CVE-2019-10086
Published: 20 August 2019
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
From the Ubuntu Security Team
It was discovered that Apache Commons BeanUtils improperly handled certain input. An attacker could use this vulnerability to execute arbitrary code.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
commons-beanutils Launchpad, Ubuntu, Debian |
bionic |
Released
(1.9.3-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
| disco |
Ignored
(end of life)
|
|
| eoan |
Not vulnerable
(1.9.4-1)
|
|
| focal |
Not vulnerable
(1.9.4-1)
|
|
| groovy |
Not vulnerable
(1.9.4-1)
|
|
| hirsute |
Not vulnerable
(1.9.4-1)
|
|
| impish |
Not vulnerable
(1.9.4-1)
|
|
| jammy |
Not vulnerable
(1.9.4-1)
|
|
| kinetic |
Not vulnerable
(1.9.4-1)
|
|
| lunar |
Not vulnerable
(1.9.4-1)
|
|
| trusty |
Released
(1.9.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(1.9.4-1)
|
|
| xenial |
Released
(1.9.2-3ubuntu0.1~esm1)
Available with Ubuntu Pro |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References
- https://issues.apache.org/jira/browse/BEANUTILS-520
- https://github.com/apache/commons-beanutils/pull/7
- https://github.com/apache/commons-beanutils/commit/dd48f4e589462a8cdb1f29bbbccb35d6b0291d58
- https://ubuntu.com/security/notices/USN-4766-1
- https://www.cve.org/CVERecord?id=CVE-2019-10086
- NVD
- Launchpad
- Debian