Detections
Analytics

openSUSE 15 Security Update : mybatis, ognl (SUSE-SU-2025:03285-1)

high Nessus Plugin ID 265727

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:03285-1 advisory.

 Version update to 3.5.7:

 * Bug fixes:

 - Improved performance under JDK 8. #2223

 Version update to 3.5.8:

 * List of changes:

 - Avoid NullPointerException when mapping an empty string to java.lang.Character. #2368
 - Fixed an incorrect argument when initializing static object.
 This resolves a compatibility issue with quarkus-mybatis.
 #2284
 - Performance improvements. #2297 #2335 #2340

 Version update to 3.5.9:

 * List of changes:

 - Add nullable to <foreach />. If enabled, it skips the iteration when the collection is null instead of throwing an exception. To enable this feature globally, set nullableOnForEach=true in the config. #1883

 Version update to 3.5.10:

 * Bug fixes:

 - Unexpected illegal reflective access warning (or InaccessibleObjectException on Java 16+) when calling method in OGNL expression. #2392
 - IllegalAccessException when auto-mapping Records (JEP-359) #2195
 - 'interrupted' status is not set when PooledConnection#getConnection() is interrupted. #2503

 * Enhancements:

 - A new option argNameBasedConstructorAutoMapping is added. If enabled, constructor argument names are used to look up columns when auto-mapping. #2192
 - Added a new property skipSetAutoCommitOnClose to JdbcTransactionFactory. Skipping setAutoCommit() call could improve performance with some drivers. #2426
 - <idArg /> can now be listed after <arg /> in <constructor />.
 #2541

 Version update to 3.5.11:

 * Bug fixes:

 - OGNL could throw IllegalArgumentException when invoking inherited method. #2609
 - returnInstanceForEmptyRow is not applied to constructor auto-mapping. #2665

 Version update to 3.5.12

 * User impactful changes

 - #2703 Referencing collection parameter by name fails fixing #2693
 - #2709 Fix a race condition caused by other threads calling mapper methods while mapped tables are being constructed
 - #2727 Enable ability to provide custom configuration to XMLConfigBuilder
 - #2731 Adding mapper could fail under JPMS
 - #2741 Add 'affectedData' attribute to @select, @SelectProvider, and <select />
 - #2767 Resolve resultType by namespace and id when not provided resultType and resultMap
 - #2804 Search readable property when resolving constructor arg type by name
 - Minor correction: 'boolean' can never be null (primative)
 - General library updates
 - Uses parameters option for compiler now (needed by spring boot 3) (for reflection needs)

 * Code cleanup

 - #2816 Use open rewrite to partially cleanup java code + #2817 Add private constructors per open rewrite + #2819 Add final where appropriate per open rewrite + #2825 Cleanup if statement breaks / return logic + #2826 Eclipse based cleanup

 * Build

 + #2820 Remove test ci group profile in favor of more direct usage on GH-Actions and update deprecated surefire along in overview in README.md + Adjustments to build so shaded ognl and javassist no longer throw warnings + Build with jdk 21-ea as well now + Various test cleanup, updates, and additions + Turn on auto formatting of all java code including note to contributors on readme to skip formatting when necessary in code blocks + Tests may use jdk 11 now while retaining jdk 8 runtime + Pom cleanup / better clarification on parameters

 * Documentation

 + Various documentation updates

 Version update to 3.5.13:

 * Bug fix:

 + Unable to resolve result type when the target property has a getter with different return type #2834

 Version update to 3.5.14:

 * Bug fixes:

 + Registered type handler is not used for anonymous enums #2956 + Discriminator does not work in constructor mapping #2913

 Version update to 3.5.15:

 * Changes

 + XNode#toString() should output all child nodes. See #3001 and associated tickets on this issue + Fix performance of mappedColumnNames.contains by using 'set' rather than 'list'. See #3023 + Fix osgi issue with javassist. See #3031 + Updated shaded OGNL to 3.4.2. See #3035 + Add support method for generating dynamic sql on SQL class.
 See #2887 + General library updates + General document updates

 * Build

 + We now show builds from java 11, 17, 21, and 22 on Github Actions. Code is still java 8 compatible at this time.
 + Update vulnerable hsqldb to 2.7.2 fixing our tests that now work due to newer support. Note, users were never affected by this but at least one user pull request was attempted opened in addition to both renovate and dependabot and various reporting on it.
 + Now using more properties to define versions in pom to lower the frequency of pull requests from renovate

 Version update to 3.5.16:

 * Security:

 + Prevent Invocation from being used by vulnerable applications.
 #3115

 * Bugs:

 + When database ID resolution is failed, invalid bound statement is used. #3040

 * Enhancements:

 + It is now possible to write a custom map wrapper to customize how to map column name with dots or brackets. #13 #3062

 * Performance:

 + Improved compatibility with Virtual Threads introduced by Loom.
 + Reduced memory footprint when performing the default (i.e.
 order based) constructor auto-mapping. #3113

 * Build:

 + Include the shaded libraries (OGNL and Javassist) in the sources.jar.

 Version update to 3.5.17:

 * Bugs:

 + VendorDatabaseIdProvider#getDatabaseId() should return product name when properties is empty #3297 + Update NClobTypeHandler to use methods for national character set #3298

 * Enhancements:

 + Allow DefaultSqlSessionFactory to provide a custom SqlSession #3128

 Version update to 3.5.18:

 * Regressions

 + Fixed issue in 3.5.17 #3334

 * New

 + Ignore empty xnode per #3349 + Share expression validator #3339 + Throw helpful error instead of IndexOutOfBoundsException (automapping) #3327 + Optimize mapper builder #3252

 * Tests

 + Add TransactionFactory, Transaction test cases #3277

 * Build

 + Reworked pom to match current java 17 build usage + Moved all tests to newer java standards + Cleaned up github actions + Run 'site' branch only on release commits

 Version update to 3.5.19:

 * Revert Regression introduced by #3349.

 - Initial packaging with version 3.4.7

 ognl replaces the EOLed apache-commons-ognl that has an unpatched security bug (bsc#1248252, CVE-2025-53192)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected mybatis, mybatis-javadoc, ognl and / or ognl-javadoc packages.

See Also

https://bugzilla.suse.com/1248252

http://www.nessus.org/u?762712e9

https://www.suse.com/security/cve/CVE-2025-53192

Plugin Details

Severity: High

ID: 265727

File Name: suse_SU-2025-03285-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/23/2025

Updated: 9/23/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-53192

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/21/2025

Vulnerability Publication Date: 8/18/2025

Reference Information

CVE: CVE-2025-53192

SuSE: SUSE-SU-2025:03285-1