CVE-2019-10086
Classloader Manipulation vulnerability in commons-beanutils:commons-beanutils
What is CVE-2019-10086 About?
This vulnerability in Apache Commons Beanutils 1.9.2 arises from the improper use of a special BeanIntrospector, failing to suppress access to the classloader via the 'class' property. This oversight could potentially allow attackers to manipulate application behavior or execute arbitrary code. Exploiting this vulnerability would likely require specific application logic that processes untrusted input through Beanutils.
Affected Software
Technical Details
The vulnerability stems from the `PropertyUtilsBean` in Apache Commons Beanutils 1.9.2 not utilizing a specific `BeanIntrospector` class designed to prevent classloader access. In Java, all objects have a 'class' property which provides access to the classloader. If an attacker can manipulate this property through bean introspection, they might be able to load malicious classes or modify system properties. Since the protective `BeanIntrospector` was not used by default, the application remained vulnerable to attacks that leverage this classloader access to gain control or information.
What is the Impact of CVE-2019-10086?
Successful exploitation may allow attackers to manipulate application behavior, load arbitrary code, or access sensitive system resources.
What is the Exploitability of CVE-2019-10086?
Exploitation typically involves providing specially crafted input that is processed by Apache Commons Beanutils, specifically via its `PropertyUtilsBean` component. The complexity level is moderate, as it requires knowledge of the target application's use of Beanutils and how properties are set. Authentication may or may not be required, depending on whether user-controlled input susceptible to bean property manipulation is handled pre or post-authentication. Privilege requirements are generally low, as the attack leverages a library's behavior rather than system-level privileges. This is usually a remote vulnerability, relying on an attacker's ability to send malicious data. Specific application contexts where untrusted data is directly mapped to object properties via Beanutils methods significantly increase the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| evilangelplus | Link | wait for exp. |
What are the Available Fixes for CVE-2019-10086?
Available Upgrade Options
- commons-beanutils:commons-beanutils
- <1.9.4 → Upgrade to 1.9.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2020:0806
- https://access.redhat.com/errata/RHSA-2020:0811
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca%40%3Cdev.atlas.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1%40%3Cdev.atlas.apache.org%3E
- https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c%40%3Ccommits.dolphinscheduler.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0805
- https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2019-10086?
Similar Vulnerabilities: CVE-2014-0050 , CVE-2015-8495 , CVE-2019-10087 , CVE-2019-10088 , CVE-2019-10089
