Headline
CVE-2019-10174: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan’s privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
Description Laura Pardo 2019-04-26 14:17:51 UTC
A vulnerability was found in Infinispan before version 10.0.0 Final. The invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan’s privileges.
Comment 3 Joshua Padman 2019-05-09 03:30:35 UTC
Statement:
Red Hat OpenStack Platform’s OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.
Comment 8 Marek Novotny 2019-06-24 11:46:30 UTC
what product version of Infinispan includes this fix?
Comment 22 Kunjan Rathod 2019-11-19 05:03:44 UTC
Created infinispan tracking bugs for this issue:
Affects: fedora-all [bug 1773842]
Comment 29 Chess Hazlett 2020-02-12 05:01:33 UTC
Mitigation:
There is no known mitigation for this issue.
Comment 38 errata-xmlrpc 2020-05-11 20:33:04 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2020:2063 https://access.redhat.com/errata/RHSA-2020:2063