CVE-2019-10086
20.08.2019, 21:15
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.Enginsight
| Vendor | Product | Version |
|---|---|---|
| apache | commons_beanutils | 1.0 ≤ 𝑥 ≤ 1.9.3 |
| apache | nifi | 1.14.0 |
| apache | nifi | 1.15.0 |
| debian | debian_linux | 8.0 |
| opensuse | leap | 15.0 |
| opensuse | leap | 15.1 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | jboss_enterprise_application_platform | 7.2.0 |
| oracle | agile_plm | 9.3.3 |
| oracle | agile_plm | 9.3.5 |
| oracle | agile_plm | 9.3.6 |
| oracle | agile_product_lifecycle_management_integration_pack | 3.5 |
| oracle | agile_product_lifecycle_management_integration_pack | 3.5 |
| oracle | agile_product_lifecycle_management_integration_pack | 3.6 |
| oracle | agile_product_lifecycle_management_integration_pack | 3.6 |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | banking_platform | 2.4.0 |
| oracle | banking_platform | 2.7.1 |
| oracle | banking_platform | 2.9.0 |
| oracle | blockchain_platform | 𝑥 < 21.1.2 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 11.3.0.9 |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 12.0.0.3 |
| oracle | communications_cloud_native_core_console | 1.4.0 |
| oracle | communications_cloud_native_core_policy | 1.9.0 |
| oracle | communications_cloud_native_core_unified_data_repository | 1.6.0 |
| oracle | communications_convergence | 3.0.2.2.0 |
| oracle | communications_design_studio | 7.3.4 |
| oracle | communications_design_studio | 7.3.5 |
| oracle | communications_design_studio | 7.4.0 |
| oracle | communications_evolved_communications_application_server | 7.1 |
| oracle | communications_metasolv_solution | 6.3.0 |
| oracle | communications_metasolv_solution | 6.3.1 |
| oracle | communications_network_integrity | 7.3.6 |
| oracle | communications_performance_intelligence_center | 10.4.0.3 |
| oracle | communications_pricing_design_center | 12.0.0.3.0 |
| oracle | communications_unified_inventory_management | 7.3.4 |
| oracle | communications_unified_inventory_management | 7.3.5 |
| oracle | communications_unified_inventory_management | 7.4.0 |
| oracle | communications_unified_inventory_management | 7.4.1 |
| oracle | customer_management_and_segmentation_foundation | 18.0 |
| oracle | enterprise_manager_for_virtualization | 13.4.0.0 |
| oracle | financial_services_revenue_management_and_billing_analytics | 2.7 |
| oracle | financial_services_revenue_management_and_billing_analytics | 2.8 |
| oracle | flexcube_private_banking | 12.0.0 |
| oracle | flexcube_private_banking | 12.1.0 |
| oracle | fusion_middleware | 11.1.1.9 |
| oracle | fusion_middleware | 12.2.1.3.0 |
| oracle | fusion_middleware | 12.2.1.4.0 |
| oracle | healthcare_foundation | 7.1.5 |
| oracle | healthcare_foundation | 7.2.2 |
| oracle | healthcare_foundation | 7.3.0 |
| oracle | healthcare_foundation | 7.3.1 |
| oracle | healthcare_foundation | 8.0.1 |
| oracle | hospitality_opera_5 | 5.5 |
| oracle | hospitality_opera_5 | 5.6 |
| oracle | hospitality_reporting_and_analytics | 9.1.0 |
| oracle | insurance_data_gateway | 1.0.2.3 |
| oracle | jd_edwards_enterpriseone_orchestrator | 𝑥 < 9.2.5.3 |
| oracle | jd_edwards_enterpriseone_orchestrator | 9.2.5.3 |
| oracle | jd_edwards_enterpriseone_tools | 𝑥 < 9.2.5.3 |
| oracle | jd_edwards_enterpriseone_tools | 9.2.5.3 |
| oracle | peoplesoft_enterprise_peopletools | 8.56 |
| oracle | peoplesoft_enterprise_peopletools | 8.57 |
| oracle | peoplesoft_enterprise_pt_peopletools | 8.56 |
| oracle | peoplesoft_enterprise_pt_peopletools | 8.57 |
| oracle | peoplesoft_enterprise_pt_peopletools | 8.58 |
| oracle | primavera_gateway | 16.2.0 ≤ 𝑥 ≤ 16.2.11 |
| oracle | primavera_gateway | 17.12.0 ≤ 𝑥 ≤ 17.12.6 |
| oracle | real-time_decisions_solutions | 3.2.0.0 |
| oracle | retail_advanced_inventory_planning | 14.1 |
| oracle | retail_back_office | 14.1 |
| oracle | retail_central_office | 14.1 |
| oracle | retail_invoice_matching | 16.0.3 |
| oracle | retail_merchandising_system | 5.0.3.1 |
| oracle | retail_point-of-service | 14.1 |
| oracle | retail_predictive_application_server | 16.0 |
| oracle | retail_price_management | 14.0 |
| oracle | retail_price_management | 14.0.1 |
| oracle | retail_price_management | 15.0 |
| oracle | retail_price_management | 16.0 |
| oracle | retail_returns_management | 14.1 |
| oracle | retail_xstore_point_of_service | 7.1 |
| oracle | retail_xstore_point_of_service | 15.0 |
| oracle | retail_xstore_point_of_service | 16.0 |
| oracle | retail_xstore_point_of_service | 17.0 |
| oracle | retail_xstore_point_of_service | 18.0 |
| oracle | service_bus | 11.1.1.9.0 |
| oracle | service_bus | 12.2.1.3.0 |
| oracle | service_bus | 12.2.1.4.0 |
| oracle | solaris_cluster | 4.4 |
| oracle | time_and_labor | 12.2.6 ≤ 𝑥 ≤ 12.2.11 |
| oracle | utilities_framework | 4.3.0.1.0 ≤ 𝑥 ≤ 4.3.0.6.0 |
| oracle | utilities_framework | 4.2.0.2.0 |
| oracle | utilities_framework | 4.2.0.3.0 |
| oracle | utilities_framework | 4.4.0.0.0 |
| oracle | utilities_framework | 4.4.0.2.0 |
| oracle | utilities_framework | 4.4.0.3.0 |
| oracle | weblogic_server | 10.3.6.0.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| commons-beanutils |
|
Common Weakness Enumeration
References