CVE-2019-10086 in Ubuntu

CVE-2019-10086

Priority

Description

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was
added which allows suppressing the ability for an attacker to access the
classloader via the class property available on all Java objects. We,
however were not using this by default characteristic of the
PropertyUtilsBean.

Ubuntu-Description

It was discovered that Apache Commons BeanUtils improperly handled certain
input. An attacker could use this vulnerability to execute arbitrary code.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
https://issues.apache.org/jira/browse/BEANUTILS-520
https://github.com/apache/commons-beanutils/pull/7
https://github.com/apache/commons-beanutils/commit/dd48f4e589462a8cdb1f29bbbccb35d6b0291d58

Notes

Package

Source: commons-beanutils (LP Ubuntu Debian)

Upstream:	released (1.9.4-1)
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected (1.9.4-1)
Ubuntu 21.10:	not-affected (1.9.4-1)
Ubuntu 22.04 LTS:	not-affected (1.9.4-1)
Ubuntu 14.04 ESM:	needed

Patches:

More Information

Updated: 2022-04-25 00:34:11 UTC (commit ecc1009cb19540b950de59270950018900f37f15)