CVE-2019-10086

Q: What is the severity of CVE-2019-10086?

CVE-2019-10086 has a CVSS score of 7.3 (HIGH). This vulnerability in Apache Commons Beanutils allows attackers to access the classloader property on Java objects, potentially leading to remote code execution. It affects applications using Apache Commons Beanutils 1.9.2 with default PropertyUtilsBean configuration. The vulnerability enables deserialization attacks when untrusted data is processed.

7.3 HIGH

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in Apache Commons Beanutils allows attackers to access the classloader property on Java objects, potentially leading to remote code execution. It affects applications using Apache Commons Beanutils 1.9.2 with default PropertyUtilsBean configuration. The vulnerability enables deserialization attacks when untrusted data is processed.

💻 Affected Systems

Products:

Apache Commons Beanutils

Versions: 1.9.2 specifically (though other versions may be affected by similar issues)

Operating Systems: All operating systems running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Applications must be using PropertyUtilsBean with default settings. The vulnerability is specifically in how BeanIntrospector class was implemented but not properly utilized.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application compromise allowing data manipulation, privilege escalation, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation, network segmentation, and least privilege principles in place.

🌐 Internet-Facing: HIGH - Web applications processing user input with vulnerable Beanutils are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications may be vulnerable but require initial access to the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the application to process untrusted serialized data. The vulnerability is part of known deserialization attack chains.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.3 or later

Vendor Advisory: http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4%40apache.org%3e

Restart Required: Yes

Instructions:

1. Update Apache Commons Beanutils to version 1.9.3 or later. 2. Update your application's dependencies to use the patched version. 3. Restart the application server or service. 4. Verify the fix by checking the version in use.

🔧 Temporary Workarounds

Configure BeanIntrospector

all

Manually configure PropertyUtilsBean to use the SUPPRESS_CLASS BeanIntrospector to block classloader access.

PropertyUtilsBean propertyUtilsBean = new PropertyUtilsBean();
propertyUtilsBean.addBeanIntrospector(BeanIntrospector.SUPPRESS_CLASS);

Input Validation

all

Implement strict input validation to reject any untrusted serialized data.

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable applications
Deploy web application firewall (WAF) rules to block suspicious serialized data patterns

🔍 How to Verify

Check if Vulnerable:

Check your application's dependencies for Apache Commons Beanutils version 1.9.2. Review code usage of PropertyUtilsBean.

Check Version:

Check Maven/Gradle dependencies or examine JAR file: `jar tf your-app.jar | grep beanutils` and check version in manifest.

Verify Fix Applied:

Verify the application is using Apache Commons Beanutils version 1.9.3 or later. Test that classloader property access is blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual Java deserialization errors
ClassNotFoundException for unexpected classes
Security manager violations related to classloader access

Network Indicators:

Inbound requests containing serialized Java objects
Unusual outbound connections from application servers

SIEM Query:

source="application.log" AND ("Beanutils" OR "PropertyUtilsBean" OR "deserialization") AND ("error" OR "exception" OR "security")

📊 Metadata

CVE ID: CVE-2019-10086

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-502

Published: August 20, 2019

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Agile Plm by Oracle

Agile Plm by Oracle

Agile Plm by Oracle

Agile Product Lifecycle Management Integration Pack by Oracle

Agile Product Lifecycle Management Integration Pack by Oracle

Agile Product Lifecycle Management Integration Pack by Oracle

Agile Product Lifecycle Management Integration Pack by Oracle

Application Testing Suite by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Blockchain Platform by Oracle

Commons Beanutils by Apache

Communications Billing And Revenue Management by Oracle

Communications Billing And Revenue Management by Oracle

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Communications Cloud Native Core Console by Oracle

Communications Cloud Native Core Policy by Oracle

Communications Cloud Native Core Unified Data Repository by Oracle

Communications Convergence by Oracle

Communications Design Studio by Oracle

Communications Design Studio by Oracle

Communications Design Studio by Oracle

Communications Evolved Communications Application Server by Oracle

Communications Metasolv Solution by Oracle

Communications Metasolv Solution by Oracle

Communications Network Integrity by Oracle

Communications Performance Intelligence Center by Oracle

Communications Pricing Design Center by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Customer Management And Segmentation Foundation by Oracle

Debian Linux by Debian

Enterprise Linux Desktop by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Workstation by Redhat

Enterprise Manager For Virtualization by Oracle

Fedora by Fedoraproject

Fedora by Fedoraproject

Financial Services Revenue Management And Billing Analytics by Oracle

Financial Services Revenue Management And Billing Analytics by Oracle

Flexcube Private Banking by Oracle

Flexcube Private Banking by Oracle

Fusion Middleware by Oracle

Fusion Middleware by Oracle

Fusion Middleware by Oracle

Healthcare Foundation by Oracle

Healthcare Foundation by Oracle

Healthcare Foundation by Oracle

Healthcare Foundation by Oracle

Healthcare Foundation by Oracle

Hospitality Opera 5 by Oracle

Hospitality Opera 5 by Oracle

Hospitality Reporting And Analytics by Oracle

Insurance Data Gateway by Oracle

Jboss Enterprise Application Platform by Redhat

Jd Edwards Enterpriseone Orchestrator by Oracle

Jd Edwards Enterpriseone Orchestrator by Oracle

Jd Edwards Enterpriseone Tools by Oracle

Jd Edwards Enterpriseone Tools by Oracle

Leap by Opensuse

Leap by Opensuse

Nifi by Apache

Nifi by Apache

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Pt Peopletools by Oracle

Peoplesoft Enterprise Pt Peopletools by Oracle

Peoplesoft Enterprise Pt Peopletools by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle