Security update for apache-commons-beanutils SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:01815-1 Final 1 1 2025-06-04T17:01:27Z current 2025-06-04T17:01:27Z 2025-06-04T17:01:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache-commons-beanutils This update for apache-commons-beanutils fixes the following issues: Update to 1.11.0 - CVE-2025-48734: Fixed possible arbitrary code execution vulnerability (bsc#1243793) Full changelog: https://commons.apache.org/proper/commons-beanutils/changes.html#a1.11.0 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1815,SUSE-SLE-Module-Web-Scripting-15-SP6-2025-1815,SUSE-SLE-Module-Web-Scripting-15-SP7-2025-1815,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-1815,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1815,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1815,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1815,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1815,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-1815,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1815,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-1815,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-1815,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1815,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-1815,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-1815,SUSE-Storage-7.1-2025-1815,openSUSE-SLE-15.6-2025-1815 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202501815-1/ Link for SUSE-SU-2025:01815-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040143.html E-Mail link for SUSE-SU-2025:01815-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1243793 SUSE Bug 1243793 https://www.suse.com/security/cve/CVE-2025-48734/ SUSE CVE CVE-2025-48734 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Module for Web and Scripting 15 SP6 SUSE Linux Enterprise Module for Web and Scripting 15 SP7 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Manager Server 4.3 openSUSE Leap 15.6 apache-commons-beanutils-1.11.0-150200.3.9.1 apache-commons-beanutils-javadoc-1.11.0-150200.3.9.1 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Enterprise Storage 7.1 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of SUSE Manager Server 4.3 apache-commons-beanutils-1.11.0-150200.3.9.1 as a component of openSUSE Leap 15.6 apache-commons-beanutils-javadoc-1.11.0-150200.3.9.1 as a component of openSUSE Leap 15.6 Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum's class loader via the "declaredClass" property available on all Java "enum" objects. Accessing the enum's "declaredClass" allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the "declaredClass" property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue. CVE-2025-48734 SUSE Enterprise Storage 7.1:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-beanutils-1.11.0-150200.3.9.1 SUSE Manager Server 4.3:apache-commons-beanutils-1.11.0-150200.3.9.1 openSUSE Leap 15.6:apache-commons-beanutils-1.11.0-150200.3.9.1 openSUSE Leap 15.6:apache-commons-beanutils-javadoc-1.11.0-150200.3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501815-1/ https://www.suse.com/security/cve/CVE-2025-48734.html CVE-2025-48734 https://bugzilla.suse.com/1243793 SUSE Bug 1243793