Detections
Analytics

SUSE SLED15 / SLES15 Security Update : apache-commons-configuration2, apache-commons-text (SUSE-SU-2026:2642-1)

medium Nessus Plugin ID 323041

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:2642-1 advisory.

 This update for apache-commons-configuration2, apache-commons-text fixes the following issues

 - CVE-2026-45205: uncontrolled recursion leads to `StackOverflowError` when processing specially crafted configuration files (bsc#1265299).

 Changes for apache-commons-configuration2:

 - Upgrade to version 2.15.0:
 + Disable include schemes http[s] by default, see AbstractFileLocationStrategy + Detect and avoid processing cycles in YAML input (YAMLConfiguration) (bsc#1265299, CVE-2026-45205) + Extend scheme validation to inner schemes of jar: URLs + Add XMLConfiguration.read(Element) + Add ConfigurationException.ConfigurationException(String, Object...) + Add ConfigurationException.ConfigurationException(Throwable, String, Object...) + Add ConversionException.ConversionException(String, Object...) + Add ConversionException.ConversionException(Throwable, String, + Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable, String, Object...)
 * Fixed Bugs + Fix Apache RAT plugin console warnings + Migrate from deprecated APIs + Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet() .forEach(BiConsumer<String, Object>) + Add VEX entry for CVE-2025-48924 + Shared primitive variable 'throwExceptionOnMissing' in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .AbstractConfiguration] At AbstractConfiguration.java:
 [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + Shared primitive variable 'forceSingleLine' in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .PropertiesConfigurationLayout] At PropertiesConfigurationLayout.java:[line 821] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + CONFIGURATION-849: Fix undoubling of strings + CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in OSGi + Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-surefire-plugin:3.5.3:test (default-test)'
 * New features:
 + Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator + CONFIGURATION-836: New web configurations using the jakarta.servlet namespace are now available + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletConfiguration .JakartaServletContextConfiguration .JakartaServletFilterConfiguration .JakartaServletRequestConfiguration + Add org.apache.commons.configuration2 .AbstractHierarchicalConfiguration.getKeysInternal(String, String)
 * Fixed Bugs:
 + PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't convert custom java.lang.Number subclasses + DefaultConversionHandler.convertValue(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + DefaultConversionHandler.to(Object, Class, + CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it did in 2.9.0 + CONFIGURATION-848: CompositeConfiguration does not account for + Describe the security model + De-emphasize the 1.x version line on the website + CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user HOME directory correctly + CONFIGURATION-844: Add support for empty sections + Add ImmutableConfiguration.containsValue(Object) + Fail-fast with a NullPointerException if DataConfiguration .DataConfiguration(Configuration) is called with null + Fail-fast with a NullPointerException if XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called with null + Fail-fast with a NullPointerException if a SubsetConfiguration constructor is called with a null Configuration + CONFIGURATION-843: Methods should not be empty + Guard MapConfiguration against null maps AppletConfiguration(Applet) is called with null ServletConfiguration(Servlet) is called with null ServletConfiguration(ServletConfig) is called with null ServletContextConfiguration(Servlet) is called with null ServletContextConfiguration(ServletContext) is called with null ServletFilterConfiguration(FilterConfig) is called with null ServletRequestConfiguration(ServletRequest) is called with null + Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource() + Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler AbstractListDelimiterHandler DefaultPrefixLookupsHolder DynamicCombinedConfiguration PropertiesConfiguration + CONFIGURATION-846: Restore previous behavior allowing Spring to inject multiple values + CONFIGURATION-847: Property with an empty string value was not processed

 Changes for apache-commons-text:

 - Upgrade to version 1.15.0
 * New features + Add experimental CycloneDX VEX file + TEXT-235: Add Damerau-Levenshtein distance + Add unit tests to increase coverage + Add new test for CharSequenceTranslator#with() + Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage
 * Fixed Bugs + Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...) + TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException + Fix TextStringBuilderTest.testAppendToCharBuffer() to use proper argument type + Fix Apache RAT plugin console warnings + Fix site XML to use version 2.0.0 XML schema + Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity + Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't + Interface StringLookup now extends UnaryOperator<String> + Interface TextRandomProvider extends IntUnaryOperator + Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator) + Add PMD check to default Maven goal + Add org.apache.commons.text.RandomStringGenerator.Builder .setAccumulate(boolean) + Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory + Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder PropertiesStringLookup JavaPlatformStringLookup + Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter + Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder + Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder + org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map CharSequence>) now throws NullPointerException instead of java.security.InvalidParameterException + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Deprecate EntityArrays.EntityArrays() + StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups() maps DefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST and LOOPBACK_ADDRESS + Add StringLookupFactory.loopbackAddressStringLookup() + Add StringLookupFactory.KEY_LOOPBACK_ADDRESS + Add DefaultStringLookup.LOOPBACK_ADDRESS + Add richer inputs in package org.apache.commons.text .similarity with SimilarityInput + Add HammingDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerSimilarity.apply(SimilarityInput, + Add LevenshteinDetailedDistance.apply(SimilarityInput, + Add LevenshteinDistance.apply(SimilarityInput, + Fix build on Java 22 + Fix build on Java 23-ea + Make package-private constructor private:
 StrLookup.MapStrLookup.MapStrLookup(Map) + Make package-private constructor private: StrLookup .SystemPropertiesStrLookup.SystemPropertiesStrLookup() + Make package-private class private and final: MapStrLookup + Make package-private class private: StrMatcher.CharMatcher + Make package-private class private: StrMatcher.CharSetMatcher + Make package-private class private: StrMatcher.NoMatcher + Make package-private class private: StrMatcher.StringMatcher + Make package-private class private: StrMatcher.TrimMatcher + Make package-private class private and final:
 IntersectionSimilarity.BagCount IntersectionSimilarity.TinyCount + Deprecate LevenshteinDistance.LevenshteinDistance() in favor of LevenshteinDistance.getDefaultInstance() + Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in favor of LevenshteinDetailedDistance.getDefaultInstance() + TEXT-234: Improve StrBuilder documentation for new line text + TEXT-234: Improve TextStringBuilder documentation for new line text + TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF + Add StringLookupFactory.fileStringLookup(Path...) and deprecated fileStringLookup() + Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated propertiesStringLookup() + Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated xmlStringLookup() and xmlStringLookup(Map) + Add StringLookupFactory.builder() for fencing Path resolution of the file, properties and XML lookups + Add DoubleFormat.Builder.get() as Builder now implements Supplier + TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException + TEXT-175: Fix regression for determining whitespace in WordUtils + Deprecate Builder in favor of Supplier + TEXT-224: Set SecureProcessing feature in XmlStringLookup by default + TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String, Boolean>...) + Add @FunctionalInterface to FormatFactory + Add RandomStringGenerator.builder() + TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup + Add StringSubstitutor.toString() + TEXT-219: Fix StringTokenizer.getTokenList to return an independent modifiable list + Fix Javadoc for StringEscapeUtils.escapeHtml4 + TextStringBuidler#hashCode() allocates a String on each call + TEXT-221: Fix Bundle-SymbolicName to use the package name org.apache.commons.text + Add and use a package-private singleton for RegexTokenizer + Add and use a package-private singleton for CosineSimilarity + Add and use a package-private singleton for LongestCommonSubsequence JaroWinklerSimilarity + Add and use a package-private singleton for JaccardSimilarity + [StepSecurity] ci: Harden GitHub Actions + Improve AlphabetConverter Javadoc + Fix exception message in IntersectionResult to make set-theoretic sense + Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid NullPointerException + Add null-check in RandomStringGenerator#Builder#withinRange() + TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity + Constructor for ResourceBundleStringLookup should be private instead of package-private + Constructor for UrlDecoderStringLookup should be private + Constructor for UrlEncoderStringLookup should be private + TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML is incorrect + Update DoubleFormat to state it is based on Double.toString

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected apache-commons-configuration2 and / or apache-commons-text packages.

See Also

https://bugzilla.suse.com/1265299

https://lists.suse.com/pipermail/sle-updates/2026-June/047637.html

https://www.suse.com/security/cve/CVE-2026-45205

Plugin Details

Severity: Medium

ID: 323041

File Name: suse_SU-2026-2642-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/26/2026

Updated: 6/26/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-45205

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:apache-commons-text, p-cpe:/a:novell:suse_linux:apache-commons-configuration2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 5/14/2026

Reference Information

CVE: CVE-2026-45205

SuSE: SUSE-SU-2026:2642-1