[Japanese]
|
JVNDB-2013-000072
|
JBoss RichFaces vulnerable to remote code execution
|
JBoss RichFaces contains a remote code execution vulnerability due to an issue with deserialization.
JBoss RichFaces is a framework for integrating Ajax into web applications. JBoss RichFaces applications contain a deserialization interface where end users may provide input. This interface may deserialize untrusted data, which may lead to arbitrary code execution.
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
RichFaces applications that are created using the following JBoss RichFaces's versions are affected:
|
Red Hat, Inc.
- JBoss Enterprise Application Platform 5.x through 5.2.0
- JBoss Enterprise Application Platform through 4.3.0 CP10
- JBoss Enterprise Web Platform through 5.2.0
- JBoss RichFaces 3.x
- JBoss RichFaces 4.x
- JBoss RichFaces 5.x
- JBoss Web Framework Kit before 2.3.0
- Red Hat JBoss BRMS through 5.3.1
- Red Hat JBoss Operations Network 3.x through 3.1.2
- Red Hat JBoss Operations Network through 2.4.2
- Red Hat JBoss Portal 5.x through 5.2.2
- Red Hat JBoss Portal through 4.3 CP07
- Red Hat JBoss SOA Platform 5.x through 5.3.1
- Red Hat JBoss SOA Platform through 4.3.0 CP05
|
|
When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.
|
[Apply a patch]
Apply the appropriate patch according to the information provided by the developer.
|
Red Hat, Inc.
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2013-2165
|
- JVN : JVN#38787103
- National Vulnerability Database (NVD) : CVE-2013-2165
- IPA SECURITY ALERTS : Security Updates Available for JBoss RichFaces (JVN#38787103) (in Japanese)
|
- [2013/07/19]
Web page was published
[2013/07/24]
Affected Products : Products were added
References : Content was added
|