<div class="container">
<h1>Security update for apache-commons-beanutils</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:02056-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-06-20T16:17:25Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243793">bsc#1243793</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2014-0114.html">CVE-2014-0114</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2015-4852.html">CVE-2015-4852</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-48734.html">CVE-2025-48734</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2015-4852</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2015-4852</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48734</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48734</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 12 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for apache-commons-beanutils fixes the following issues:</p>
<p>Update to 1.11.0:</p>
<ul>
<li>
<p>Fixed Bugs:</p>
<ul>
<li>BeanComparator.compare(T, T) now throws
IllegalArgumentException instead of RuntimeException to wrap
all cases of ReflectiveOperationException.</li>
<li>MappedMethodReference.get() now throws IllegalStateException
instead of RuntimeException to wrap cases of
NoSuchMethodException.</li>
<li>ResultSetIterator.get(String) now throws
IllegalArgumentException instead of RuntimeException to wrap
cases of SQLException.</li>
<li>ResultSetIterator.hasNext() now throws IllegalStateException
instead of RuntimeException to wrap cases of SQLException.</li>
<li>ResultSetIterator.next() now throws IllegalStateException
instead of RuntimeException to wrap cases of SQLException.</li>
<li>ResultSetIterator.set(String, Object) now throws
IllegalArgumentException instead of RuntimeException to wrap
cases of SQLException.</li>
<li>ResultSetIterator.set(String, String, Object) now throws
IllegalArgumentException instead of RuntimeException to wrap
cases of SQLException.</li>
</ul>
</li>
<li>
<p>Changes:</p>
<ul>
<li>Add org.apache.commons.beanutils
.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS.
Fixes bsc#1243793, CVE-2025-48734</li>
<li>Bump org.apache.commons:commons-parent from 81 to 84.</li>
<li>Bump commons-logging:commons-logging from 1.3.4 to 1.3.5.</li>
</ul>
</li>
</ul>
<p>Update to 1.10.1:</p>
<ul>
<li>
<p>Fixed Bugs:</p>
<ul>
<li>BEANUTILS-541: FluentPropertyBeanIntrospector concurrency
issue (backport to 1.X) #325.</li>
<li>Javadoc is missing its Overview page.</li>
<li>Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS (from
org.apache.commons:commons-parent:80).</li>
<li>Deprecate BeanUtils.BeanUtils().</li>
<li>Deprecate ConstructorUtils.ConstructorUtils().</li>
<li>Deprecate LocaleBeanUtils.LocaleBeanUtils().</li>
<li>Deprecate LocaleConvertUtils.LocaleConvertUtils().</li>
<li>Deprecate ConvertUtils.ConvertUtils().</li>
<li>Deprecate MethodUtils.MethodUtils().</li>
<li>Deprecate PropertyUtils.PropertyUtils().</li>
</ul>
</li>
<li>
<p>Changes:</p>
<ul>
<li>Bump org.apache.commons:commons-parent from 78 to 81.</li>
</ul>
</li>
</ul>
<p>Includes changes from 1.10.0:</p>
<ul>
<li>
<p>Fixed Bugs:</p>
<ul>
<li>BEANUTILS-541: FluentPropertyBeanIntrospector caches
corrupted writeMethod (1.x backport) #69.</li>
<li>Replace internal use of Locale.ENGLISH with Locale.ROOT.</li>
<li>Replace Maven CLIRR plugin with JApiCmp.</li>
<li>Port to Java 1.4 Throwable APIs (!).</li>
<li>Fix Javadoc generation on Java 8, 17, and 21.</li>
<li>AbstractArrayConverter.parseElements(String) now returns a
List<String> instead of a raw List.</li>
</ul>
</li>
<li>
<p>Changes:</p>
<ul>
<li>Bump org.apache.commons:commons-parent from 47 to 78.</li>
<li>Bump Java requirement from Java 6 to 8.</li>
<li>Bump junit:junit from 4.12 to 4.13.2.</li>
<li>Bump JUnit from 4.x to 5.x "vintage".</li>
<li>Bump commons-logging:commons-logging from 1.2 to 1.3.4.</li>
<li>Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for
removal, use Throwable.initCause(Throwable).</li>
<li>Deprecate BeanUtils.initCause(Throwable, Throwable) for
removal, use Throwable.initCause(Throwable).</li>
</ul>
</li>
</ul>
<p>Update to 1.9.4:</p>
<ul>
<li>BEANUTILS-520: BeanUtils mitigate CVE-2014-0114</li>
</ul>
<p>Updated to 1.9.3:</p>
<ul>
<li>This is a bug fix release, which also improves the tests for
building on Java 8.</li>
<li>
<p>Note that Java 8 and later no longer support indexed bean
properties on java.util.List, only on arrays like String[].
(BEANUTILS-492). This affects PropertyUtils.getPropertyType()
and PropertyUtils.getPropertyDescriptor(); their javadoc have
therefore been updated to reflect this change in the JDK.</p>
</li>
<li>
<p>Changes in this version include:</p>
<ul>
<li>
<p>Fixed Bugs:</p>
</li>
<li>
<p>BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector</p>
</li>
<li>BEANUTILS-492: Fixed exception when setting indexed properties
on DynaBeans.</li>
<li>BEANUTILS-470: Precision lost when converting BigDecimal.</li>
<li>
<p>BEANUTILS-465: Indexed List Setters fixed.</p>
</li>
<li>
<p>Changes:</p>
</li>
<li>
<p>BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.</p>
</li>
<li>BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.</li>
<li>BEANUTILS-474: FluentPropertyBeanIntrospector does not use the
same naming algorithm as DefaultBeanIntrospector.</li>
<li>BEANUTILS-490: Update Java requirement from Java 5 to 6.</li>
<li>BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2
(CVE-2015-4852).</li>
<li>BEANUTILS-490: Update java requirement to Java 6.</li>
<li>BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.</li>
<li>BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.</li>
<li>BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.</li>
<li>Historical list of changes:
http://commons.apache.org/proper/commons-beanutils/changes-report.html</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2056=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2056=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
<ul>
<li>apache-commons-beanutils-1.11.0-7.3.1</li>
<li>apache-commons-beanutils-javadoc-1.11.0-7.3.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
<ul>
<li>apache-commons-beanutils-1.11.0-7.3.1</li>
<li>apache-commons-beanutils-javadoc-1.11.0-7.3.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2014-0114.html">https://www.suse.com/security/cve/CVE-2014-0114.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2015-4852.html">https://www.suse.com/security/cve/CVE-2015-4852.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-48734.html">https://www.suse.com/security/cve/CVE-2025-48734.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243793">https://bugzilla.suse.com/show_bug.cgi?id=1243793</a>
</li>
</ul>
</div>