apache-commons-beanutils-1.9.4-3.7 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10617 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache-commons-beanutils-1.9.4-3.7 on GA media These are all security issues fixed in the apache-commons-beanutils-1.9.4-3.7 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10617 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10617 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-0114/ SUSE CVE CVE-2014-0114 page https://www.suse.com/security/cve/CVE-2015-4852/ SUSE CVE CVE-2015-4852 page https://www.suse.com/security/cve/CVE-2019-10086/ SUSE CVE CVE-2019-10086 page openSUSE Tumbleweed apache-commons-beanutils-1.9.4-3.7 apache-commons-beanutils-javadoc-1.9.4-3.7 apache-commons-beanutils-1.9.4-3.7 as a component of openSUSE Tumbleweed apache-commons-beanutils-javadoc-1.9.4-3.7 as a component of openSUSE Tumbleweed Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. CVE-2014-0114 openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7 openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0114.html CVE-2014-0114 https://bugzilla.suse.com/778464 SUSE Bug 778464 https://bugzilla.suse.com/875455 SUSE Bug 875455 https://bugzilla.suse.com/885963 SUSE Bug 885963 The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. CVE-2015-4852 openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7 openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-4852.html CVE-2015-4852 https://bugzilla.suse.com/954102 SUSE Bug 954102 https://bugzilla.suse.com/955853 SUSE Bug 955853 In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. CVE-2019-10086 openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7 openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10086.html CVE-2019-10086 https://bugzilla.suse.com/1146657 SUSE Bug 1146657