suse-su-2025:03285-1
Vulnerability from csaf_suse
Published
2025-09-21 09:18
Modified
2025-09-21 09:18
Summary
Security update for mybatis, ognl
Notes
Title of the patch
Security update for mybatis, ognl
Description of the patch
This update for mybatis, ognl fixes the following issues:
Version update to 3.5.7:
* Bug fixes:
+ Improved performance under JDK 8. #2223
Version update to 3.5.8:
* List of changes:
+ Avoid NullPointerException when mapping an empty string to
java.lang.Character. #2368
+ Fixed an incorrect argument when initializing static object.
This resolves a compatibility issue with quarkus-mybatis.
#2284
+ Performance improvements. #2297 #2335 #2340
Version update to 3.5.9:
* List of changes:
+ Add nullable to <foreach />. If enabled, it skips the
iteration when the collection is null instead of throwing an
exception. To enable this feature globally, set
nullableOnForEach=true in the config. #1883
Version update to 3.5.10:
* Bug fixes:
+ Unexpected illegal reflective access warning (or
InaccessibleObjectException on Java 16+) when calling method
in OGNL expression. #2392
+ IllegalAccessException when auto-mapping Records (JEP-359)
#2195
+ 'interrupted' status is not set when
PooledConnection#getConnection() is interrupted. #2503
* Enhancements:
+ A new option argNameBasedConstructorAutoMapping is added. If
enabled, constructor argument names are used to look up
columns when auto-mapping. #2192
+ Added a new property skipSetAutoCommitOnClose to
JdbcTransactionFactory. Skipping setAutoCommit() call could
improve performance with some drivers. #2426
+ <idArg /> can now be listed after <arg /> in <constructor />.
#2541
Version update to 3.5.11:
* Bug fixes:
+ OGNL could throw IllegalArgumentException when invoking
inherited method. #2609
+ returnInstanceForEmptyRow is not applied to constructor
auto-mapping. #2665
Version update to 3.5.12
* User impactful changes
+ #2703 Referencing collection parameter by name fails fixing
#2693
+ #2709 Fix a race condition caused by other threads calling
mapper methods while mapped tables are being constructed
+ #2727 Enable ability to provide custom configuration to
XMLConfigBuilder
+ #2731 Adding mapper could fail under JPMS
+ #2741 Add 'affectedData' attribute to @select,
@SelectProvider, and <select />
+ #2767 Resolve resultType by namespace and id when not
provided resultType and resultMap
+ #2804 Search readable property when resolving constructor arg
type by name
+ Minor correction: 'boolean' can never be null (primative)
+ General library updates
+ Uses parameters option for compiler now (needed by spring boot
3) (for reflection needs)
* Code cleanup
+ #2816 Use open rewrite to partially cleanup java code
+ #2817 Add private constructors per open rewrite
+ #2819 Add final where appropriate per open rewrite
+ #2825 Cleanup if statement breaks / return logic
+ #2826 Eclipse based cleanup
* Build
+ #2820 Remove test ci group profile in favor of more direct
usage on GH-Actions and update deprecated surefire along in
overview in README.md
+ Adjustments to build so shaded ognl and javassist no longer
throw warnings
+ Build with jdk 21-ea as well now
+ Various test cleanup, updates, and additions
+ Turn on auto formatting of all java code including note to
contributors on readme to skip formatting when necessary in
code blocks
+ Tests may use jdk 11 now while retaining jdk 8 runtime
+ Pom cleanup / better clarification on parameters
* Documentation
+ Various documentation updates
Version update to 3.5.13:
* Bug fix:
+ Unable to resolve result type when the target property has
a getter with different return type #2834
Version update to 3.5.14:
* Bug fixes:
+ Registered type handler is not used for anonymous enums #2956
+ Discriminator does not work in constructor mapping #2913
Version update to 3.5.15:
* Changes
+ XNode#toString() should output all child nodes. See #3001 and
associated tickets on this issue
+ Fix performance of mappedColumnNames.contains by using 'set'
rather than 'list'. See #3023
+ Fix osgi issue with javassist. See #3031
+ Updated shaded OGNL to 3.4.2. See #3035
+ Add support method for generating dynamic sql on SQL class.
See #2887
+ General library updates
+ General document updates
* Build
+ We now show builds from java 11, 17, 21, and 22 on Github
Actions. Code is still java 8 compatible at this time.
+ Update vulnerable hsqldb to 2.7.2 fixing our tests that now
work due to newer support. Note, users were never affected by
this but at least one user pull request was attempted opened
in addition to both renovate and dependabot and various
reporting on it.
+ Now using more properties to define versions in pom to lower
the frequency of pull requests from renovate
Version update to 3.5.16:
* Security:
+ Prevent Invocation from being used by vulnerable applications.
#3115
* Bugs:
+ When database ID resolution is failed, invalid bound statement
is used. #3040
* Enhancements:
+ It is now possible to write a custom map wrapper to customize
how to map column name with dots or brackets. #13 #3062
* Performance:
+ Improved compatibility with Virtual Threads introduced by
Loom.
+ Reduced memory footprint when performing the default (i.e.
order based) constructor auto-mapping. #3113
* Build:
+ Include the shaded libraries (OGNL and Javassist) in the
sources.jar.
Version update to 3.5.17:
* Bugs:
+ VendorDatabaseIdProvider#getDatabaseId() should return product
name when properties is empty #3297
+ Update NClobTypeHandler to use methods for national character
set #3298
* Enhancements:
+ Allow DefaultSqlSessionFactory to provide a custom
SqlSession #3128
Version update to 3.5.18:
* Regressions
+ Fixed issue in 3.5.17 #3334
* New
+ Ignore empty xnode per #3349
+ Share expression validator #3339
+ Throw helpful error instead of IndexOutOfBoundsException
(automapping) #3327
+ Optimize mapper builder #3252
* Tests
+ Add TransactionFactory, Transaction test cases #3277
* Build
+ Reworked pom to match current java 17 build usage
+ Moved all tests to newer java standards
+ Cleaned up github actions
+ Run 'site' branch only on release commits
Version update to 3.5.19:
* Revert Regression introduced by #3349.
- Initial packaging with version 3.4.7
ognl replaces the EOLed apache-commons-ognl that has an unpatched
security bug (bsc#1248252, CVE-2025-53192)
Patchnames
SUSE-2025-3285,openSUSE-SLE-15.6-2025-3285
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mybatis, ognl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mybatis, ognl fixes the following issues:\n\nVersion update to 3.5.7:\n\n * Bug fixes:\n\n + Improved performance under JDK 8. #2223\n\nVersion update to 3.5.8:\n\n * List of changes:\n\n + Avoid NullPointerException when mapping an empty string to\n java.lang.Character. #2368\n + Fixed an incorrect argument when initializing static object.\n This resolves a compatibility issue with quarkus-mybatis.\n #2284\n + Performance improvements. #2297 #2335 #2340\n\nVersion update to 3.5.9:\n\n * List of changes:\n\n + Add nullable to \u003cforeach /\u003e. If enabled, it skips the\n iteration when the collection is null instead of throwing an\n exception. To enable this feature globally, set\n nullableOnForEach=true in the config. #1883\n\nVersion update to 3.5.10:\n\n * Bug fixes:\n\n + Unexpected illegal reflective access warning (or\n InaccessibleObjectException on Java 16+) when calling method\n in OGNL expression. #2392\n + IllegalAccessException when auto-mapping Records (JEP-359)\n #2195\n + \u0027interrupted\u0027 status is not set when\n PooledConnection#getConnection() is interrupted. #2503\n\n * Enhancements:\n\n + A new option argNameBasedConstructorAutoMapping is added. If\n enabled, constructor argument names are used to look up\n columns when auto-mapping. #2192\n + Added a new property skipSetAutoCommitOnClose to\n JdbcTransactionFactory. Skipping setAutoCommit() call could\n improve performance with some drivers. #2426\n + \u003cidArg /\u003e can now be listed after \u003carg /\u003e in \u003cconstructor /\u003e.\n #2541\n\nVersion update to 3.5.11:\n\n * Bug fixes:\n\n + OGNL could throw IllegalArgumentException when invoking\n inherited method. #2609\n + returnInstanceForEmptyRow is not applied to constructor\n auto-mapping. #2665\n\nVersion update to 3.5.12\n\n * User impactful changes\n\n + #2703 Referencing collection parameter by name fails fixing\n #2693\n + #2709 Fix a race condition caused by other threads calling\n mapper methods while mapped tables are being constructed\n + #2727 Enable ability to provide custom configuration to\n XMLConfigBuilder\n + #2731 Adding mapper could fail under JPMS\n + #2741 Add \u0027affectedData\u0027 attribute to @select,\n @SelectProvider, and \u003cselect /\u003e\n + #2767 Resolve resultType by namespace and id when not\n provided resultType and resultMap\n + #2804 Search readable property when resolving constructor arg\n type by name\n + Minor correction: \u0027boolean\u0027 can never be null (primative)\n + General library updates\n + Uses parameters option for compiler now (needed by spring boot\n 3) (for reflection needs)\n\n * Code cleanup\n\n + #2816 Use open rewrite to partially cleanup java code\n + #2817 Add private constructors per open rewrite\n + #2819 Add final where appropriate per open rewrite\n + #2825 Cleanup if statement breaks / return logic\n + #2826 Eclipse based cleanup\n\n * Build\n\n + #2820 Remove test ci group profile in favor of more direct\n usage on GH-Actions and update deprecated surefire along in\n overview in README.md\n + Adjustments to build so shaded ognl and javassist no longer\n throw warnings\n + Build with jdk 21-ea as well now\n + Various test cleanup, updates, and additions\n + Turn on auto formatting of all java code including note to\n contributors on readme to skip formatting when necessary in\n code blocks\n + Tests may use jdk 11 now while retaining jdk 8 runtime\n + Pom cleanup / better clarification on parameters\n\n * Documentation\n\n + Various documentation updates\n\nVersion update to 3.5.13:\n\n * Bug fix:\n\n + Unable to resolve result type when the target property has\n a getter with different return type #2834\n\nVersion update to 3.5.14:\n\n * Bug fixes:\n\n + Registered type handler is not used for anonymous enums #2956\n + Discriminator does not work in constructor mapping #2913\n\nVersion update to 3.5.15:\n\n * Changes\n\n + XNode#toString() should output all child nodes. See #3001 and\n associated tickets on this issue\n + Fix performance of mappedColumnNames.contains by using \u0027set\u0027\n rather than \u0027list\u0027. See #3023\n + Fix osgi issue with javassist. See #3031\n + Updated shaded OGNL to 3.4.2. See #3035\n + Add support method for generating dynamic sql on SQL class.\n See #2887\n + General library updates\n + General document updates\n\n * Build\n\n + We now show builds from java 11, 17, 21, and 22 on Github\n Actions. Code is still java 8 compatible at this time.\n + Update vulnerable hsqldb to 2.7.2 fixing our tests that now\n work due to newer support. Note, users were never affected by\n this but at least one user pull request was attempted opened\n in addition to both renovate and dependabot and various\n reporting on it.\n + Now using more properties to define versions in pom to lower\n the frequency of pull requests from renovate\n\nVersion update to 3.5.16:\n\n * Security:\n\n + Prevent Invocation from being used by vulnerable applications.\n #3115\n\n * Bugs:\n\n + When database ID resolution is failed, invalid bound statement\n is used. #3040\n\n * Enhancements:\n\n + It is now possible to write a custom map wrapper to customize\n how to map column name with dots or brackets. #13 #3062\n\n * Performance:\n\n + Improved compatibility with Virtual Threads introduced by\n Loom.\n + Reduced memory footprint when performing the default (i.e.\n order based) constructor auto-mapping. #3113\n\n * Build:\n\n + Include the shaded libraries (OGNL and Javassist) in the\n sources.jar.\n\nVersion update to 3.5.17:\n\n * Bugs:\n\n + VendorDatabaseIdProvider#getDatabaseId() should return product\n name when properties is empty #3297\n + Update NClobTypeHandler to use methods for national character\n set #3298\n\n * Enhancements:\n\n + Allow DefaultSqlSessionFactory to provide a custom\n SqlSession #3128\n\nVersion update to 3.5.18:\n\n * Regressions\n\n + Fixed issue in 3.5.17 #3334\n\n * New\n\n + Ignore empty xnode per #3349\n + Share expression validator #3339\n + Throw helpful error instead of IndexOutOfBoundsException\n (automapping) #3327\n + Optimize mapper builder #3252\n\n * Tests\n\n + Add TransactionFactory, Transaction test cases #3277\n\n * Build\n\n + Reworked pom to match current java 17 build usage\n + Moved all tests to newer java standards\n + Cleaned up github actions\n + Run \u0027site\u0027 branch only on release commits\n\nVersion update to 3.5.19:\n\n * Revert Regression introduced by #3349.\n\n- Initial packaging with version 3.4.7\n\nognl replaces the EOLed apache-commons-ognl that has an unpatched\n security bug (bsc#1248252, CVE-2025-53192)",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3285,openSUSE-SLE-15.6-2025-3285",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03285-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03285-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503285-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03285-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-September/041789.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248252",
"url": "https://bugzilla.suse.com/1248252"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-53192 page",
"url": "https://www.suse.com/security/cve/CVE-2025-53192/"
}
],
"title": "Security update for mybatis, ognl",
"tracking": {
"current_release_date": "2025-09-21T09:18:07Z",
"generator": {
"date": "2025-09-21T09:18:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03285-1",
"initial_release_date": "2025-09-21T09:18:07Z",
"revision_history": [
{
"date": "2025-09-21T09:18:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mybatis-3.5.19-150200.5.9.1.noarch",
"product": {
"name": "mybatis-3.5.19-150200.5.9.1.noarch",
"product_id": "mybatis-3.5.19-150200.5.9.1.noarch"
}
},
{
"category": "product_version",
"name": "mybatis-javadoc-3.5.19-150200.5.9.1.noarch",
"product": {
"name": "mybatis-javadoc-3.5.19-150200.5.9.1.noarch",
"product_id": "mybatis-javadoc-3.5.19-150200.5.9.1.noarch"
}
},
{
"category": "product_version",
"name": "ognl-3.4.7-150200.5.3.1.noarch",
"product": {
"name": "ognl-3.4.7-150200.5.3.1.noarch",
"product_id": "ognl-3.4.7-150200.5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "ognl-javadoc-3.4.7-150200.5.3.1.noarch",
"product": {
"name": "ognl-javadoc-3.4.7-150200.5.3.1.noarch",
"product_id": "ognl-javadoc-3.4.7-150200.5.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mybatis-3.5.19-150200.5.9.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:mybatis-3.5.19-150200.5.9.1.noarch"
},
"product_reference": "mybatis-3.5.19-150200.5.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mybatis-javadoc-3.5.19-150200.5.9.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:mybatis-javadoc-3.5.19-150200.5.9.1.noarch"
},
"product_reference": "mybatis-javadoc-3.5.19-150200.5.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ognl-3.4.7-150200.5.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ognl-3.4.7-150200.5.3.1.noarch"
},
"product_reference": "ognl-3.4.7-150200.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ognl-javadoc-3.4.7-150200.5.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ognl-javadoc-3.4.7-150200.5.3.1.noarch"
},
"product_reference": "ognl-javadoc-3.4.7-150200.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-53192",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-53192"
}
],
"notes": [
{
"category": "general",
"text": "** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL.\n\nThis issue affects Apache Commons OGNL: all versions.\n\n\n\nWhen using the API Ognl.getValue, the OGNL engine parses and evaluates the provided expression with powerful capabilities, including accessing and invoking related methods,\n etc. Although OgnlRuntime attempts to restrict certain dangerous classes and methods (such as java.lang.Runtime) through a blocklist, these restrictions are not comprehensive. \nAttackers may be able to bypass the restrictions by leveraging class objects that are not covered by the blocklist and potentially achieve arbitrary code execution.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.6:mybatis-3.5.19-150200.5.9.1.noarch",
"openSUSE Leap 15.6:mybatis-javadoc-3.5.19-150200.5.9.1.noarch",
"openSUSE Leap 15.6:ognl-3.4.7-150200.5.3.1.noarch",
"openSUSE Leap 15.6:ognl-javadoc-3.4.7-150200.5.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-53192",
"url": "https://www.suse.com/security/cve/CVE-2025-53192"
},
{
"category": "external",
"summary": "SUSE Bug 1248252 for CVE-2025-53192",
"url": "https://bugzilla.suse.com/1248252"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.6:mybatis-3.5.19-150200.5.9.1.noarch",
"openSUSE Leap 15.6:mybatis-javadoc-3.5.19-150200.5.9.1.noarch",
"openSUSE Leap 15.6:ognl-3.4.7-150200.5.3.1.noarch",
"openSUSE Leap 15.6:ognl-javadoc-3.4.7-150200.5.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.6:mybatis-3.5.19-150200.5.9.1.noarch",
"openSUSE Leap 15.6:mybatis-javadoc-3.5.19-150200.5.9.1.noarch",
"openSUSE Leap 15.6:ognl-3.4.7-150200.5.3.1.noarch",
"openSUSE Leap 15.6:ognl-javadoc-3.4.7-150200.5.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-21T09:18:07Z",
"details": "important"
}
],
"title": "CVE-2025-53192"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…