Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-10086

Disclosure Date: August 20, 2019
CVE-2019-10086 CVSS v3 Base Score: 7.3
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.3 High
Impact Score:
3.4
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
Low

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache Commons Beanutils Apache Commons Beanutils 1.0 to 1.9.3
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • debian,
  • fedoraproject,
  • opensuse,
  • oracle,
  • redhat

Products

  • agile plm 9.3.3,
  • agile plm 9.3.5,
  • agile plm 9.3.6,
  • agile product lifecycle management integration pack 3.5,
  • agile product lifecycle management integration pack 3.6,
  • application testing suite 13.3.0.1,
  • banking platform 2.4.0,
  • banking platform 2.7.1,
  • banking platform 2.9.0,
  • blockchain platform,
  • commons beanutils,
  • communications billing and revenue management 12.0.0.3.0,
  • communications billing and revenue management 7.5,
  • communications billing and revenue management elastic charging engine 11.3.0.9,
  • communications billing and revenue management elastic charging engine 12.0.0.3,
  • communications cloud native core console 1.4.0,
  • communications cloud native core policy 1.9.0,
  • communications cloud native core unified data repository 1.6.0,
  • communications convergence 3.0.2.2.0,
  • communications design studio 7.3.4,
  • communications design studio 7.3.5,
  • communications design studio 7.4.0,
  • communications evolved communications application server 7.1,
  • communications metasolv solution 6.3.0,
  • communications metasolv solution 6.3.1,
  • communications network integrity 7.3.6,
  • communications performance intelligence center 10.4.0.3,
  • communications pricing design center 12.0.0.3.0,
  • communications unified inventory management 7.3.4,
  • communications unified inventory management 7.3.5,
  • communications unified inventory management 7.4.0,
  • communications unified inventory management 7.4.1,
  • customer management and segmentation foundation 18.0,
  • debian linux 8.0,
  • enterprise linux desktop 7.0,
  • enterprise linux eus 7.7,
  • enterprise linux server 7.0,
  • enterprise linux server aus 7.7,
  • enterprise linux server tus 7.7,
  • enterprise linux workstation 7.0,
  • enterprise manager for virtualization 13.4.0.0,
  • fedora 30,
  • fedora 31,
  • financial services revenue management and billing analytics 2.7,
  • financial services revenue management and billing analytics 2.8,
  • flexcube private banking 12.0.0,
  • flexcube private banking 12.1.0,
  • fusion middleware 11.1.1.9,
  • fusion middleware 12.2.1.3.0,
  • fusion middleware 12.2.1.4.0,
  • healthcare foundation 7.1.5,
  • healthcare foundation 7.2.2,
  • healthcare foundation 7.3.0,
  • healthcare foundation 7.3.1,
  • healthcare foundation 8.0.1,
  • hospitality opera 5 5.5,
  • hospitality opera 5 5.6,
  • hospitality reporting and analytics 9.1.0,
  • insurance data gateway 1.0.2.3,
  • jboss enterprise application platform 7.2.0,
  • jd edwards enterpriseone orchestrator,
  • jd edwards enterpriseone orchestrator 9.2.5.3,
  • jd edwards enterpriseone tools,
  • jd edwards enterpriseone tools 9.2.5.3,
  • leap 15.0,
  • leap 15.1,
  • nifi 1.14.0,
  • nifi 1.15.0,
  • peoplesoft enterprise peopletools 8.56,
  • peoplesoft enterprise peopletools 8.57,
  • peoplesoft enterprise pt peopletools 8.56,
  • peoplesoft enterprise pt peopletools 8.57,
  • peoplesoft enterprise pt peopletools 8.58,
  • primavera gateway,
  • real-time decisions solutions 3.2.0.0,
  • retail advanced inventory planning 14.1,
  • retail back office 14.1,
  • retail central office 14.1,
  • retail invoice matching 16.0.3,
  • retail merchandising system 5.0.3.1,
  • retail point-of-service 14.1,
  • retail predictive application server 16.0,
  • retail price management 14.0,
  • retail price management 14.0.1,
  • retail price management 15.0,
  • retail price management 16.0,
  • retail returns management 14.1,
  • retail xstore point of service 15.0,
  • retail xstore point of service 16.0,
  • retail xstore point of service 17.0,
  • retail xstore point of service 18.0,
  • retail xstore point of service 7.1,
  • service bus 11.1.1.9.0,
  • service bus 12.2.1.3.0,
  • service bus 12.2.1.4.0,
  • solaris cluster 4.4,
  • time and labor,
  • utilities framework,
  • utilities framework 4.2.0.2.0,
  • utilities framework 4.2.0.3.0,
  • utilities framework 4.4.0.0.0,
  • utilities framework 4.4.0.2.0,
  • utilities framework 4.4.0.3.0,
  • weblogic server 10.3.6.0.0

References

Canonical
CVE-2019-10086 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086)
Advisory
[www-announce] 20190815 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default. (http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e)
[debian-lts-announce] 20190824 [SECURITY] [DLA 1896-1] commons-beanutils security update (https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html)
[tinkerpop-commits] 20190829 [tinkerpop] branch master updated: Bump commons-beanutils to 1.9.4 for CVE-2019-10086 - CTR (https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E)
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html
[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4. (https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E)
[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4. (https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E)
[commons-issues] 20190925 [GitHub] [commons-validator] jeff-schram opened a new pull request #18: Update pom.xml (https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E)
[shiro-dev] 20191001 [jira] [Updated] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix (https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E)
[shiro-dev] 20191001 [jira] [Created] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fiix (https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48@%3Cdev.shiro.apache.org%3E)
[shiro-dev] 20191001 [jira] [Commented] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix (https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E)
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities (https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E)
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E)
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E)
[shiro-dev] 20191023 [jira] [Assigned] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix (https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E)
[shiro-dev] 20191105 [jira] [Resolved] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix (https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E)
FEDORA-2019-bcad44b5d6 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF)
FEDORA-2019-79b5790566 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO)
https://access.redhat.com/errata/RHSA-2019:4317
https://access.redhat.com/errata/RHSA-2020:0057
https://access.redhat.com/errata/RHSA-2020:0194
https://access.redhat.com/errata/RHSA-2020:0806
https://access.redhat.com/errata/RHSA-2020:0811
https://access.redhat.com/errata/RHSA-2020:0804
https://access.redhat.com/errata/RHSA-2020:0805
[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs (https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E)
FEDORA-2019-bcad44b5d6 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/)
FEDORA-2019-79b5790566 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/)
[atlas-dev] 20201022 [jira] [Created] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E)
[atlas-dev] 20201022 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E)
[atlas-dev] 20201023 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E)
[atlas-dev] 20201023 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E)
[atlas-commits] 20201023 [atlas] 01/05: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E)
[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E)
[atlas-dev] 20201026 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E)
[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086 (https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E)
[rocketmq-dev] 20201223 [GitHub] [rocketmq] crazywen opened a new pull request #2515: Update pom.xml (https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E)
[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] lgcareer commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils (https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E)
[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils (https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E)
[nifi-issues] 20210827 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E)
[nifi-issues] 20210827 [GitHub] [nifi] naddym opened a new pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E)
[nifi-issues] 20210827 [jira] [Created] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E)
[nifi-issues] 20210907 [GitHub] [nifi] MikeThomsen commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E)
[nifi-commits] 20210907 [nifi] branch main updated: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 NIFI-9170 Add two more 1.9.4 references to close out the few things identified by the Maven dependency plugin. (https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E)
[nifi-issues] 20210907 [GitHub] [nifi] asfgit closed pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E)
[nifi-issues] 20210907 [jira] [Commented] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E)
[nifi-issues] 20210908 [GitHub] [nifi] naddym commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E)
[nifi-issues] 20210915 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 (https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E)
Miscellaneous
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis