Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2011-3506 (GCVE-0-2011-3506)
Vulnerability from cvelistv5 – Published: 2011-10-18 22:00 – Updated: 2024-08-06 23:37
VLAI
EPSS
Summary
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://secunia.com/advisories/46527 | third-party-advisoryx_refsource_SECUNIA |
| http://secunia.com/advisories/46528 | third-party-advisoryx_refsource_SECUNIA |
| http://www.oracle.com/technetwork/topics/security… | x_refsource_CONFIRM |
| http://secunia.com/advisories/50084 | third-party-advisoryx_refsource_SECUNIA |
| http://rhn.redhat.com/errata/RHSA-2012-1232.html | vendor-advisoryx_refsource_REDHAT |
Date Public
2011-10-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:37:47.514Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46527",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46527"
},
{
"name": "46528",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46528"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "RHSA-2012:1232",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-10-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-01-12T10:00:00.000Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "46527",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46527"
},
{
"name": "46528",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46528"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "RHSA-2012:1232",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2011-3506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46527",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46527"
},
{
"name": "46528",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46528"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"name": "50084",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/50084"
},
{
"name": "RHSA-2012:1232",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2011-3506",
"datePublished": "2011-10-18T22:00:00.000Z",
"dateReserved": "2011-09-16T00:00:00.000Z",
"dateUpdated": "2024-08-06T23:37:47.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2011-3506",
"date": "2026-05-27",
"epss": "0.00396",
"percentile": "0.60583"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:sun_products_suite:7.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D5250033-4703-46A4-B3D3-101BD7D90E6F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:sun_products_suite:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"35BA375D-067F-4FFD-B12C-A19FF9E3EEA5\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad no especificada en el componente Oracle OpenSSO de Oracle Sun Products Suite v7.1 y v8.0 permite a atacantes remotos comprometer la integridad a trav\\u00e9s de vectores desconocidos relacionados con Authentication.\"}]",
"id": "CVE-2011-3506",
"lastModified": "2024-11-21T01:30:37.333",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2011-10-18T22:55:03.057",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1232.html\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://secunia.com/advisories/46527\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://secunia.com/advisories/46528\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://secunia.com/advisories/50084\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1232.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/46527\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/46528\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/50084\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert_us@oracle.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2011-3506\",\"sourceIdentifier\":\"secalert_us@oracle.com\",\"published\":\"2011-10-18T22:55:03.057\",\"lastModified\":\"2026-04-29T01:13:23.040\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad no especificada en el componente Oracle OpenSSO de Oracle Sun Products Suite v7.1 y v8.0 permite a atacantes remotos comprometer la integridad a trav\u00e9s de vectores desconocidos relacionados con Authentication.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:sun_products_suite:7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5250033-4703-46A4-B3D3-101BD7D90E6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:sun_products_suite:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"35BA375D-067F-4FFD-B12C-A19FF9E3EEA5\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1232.html\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://secunia.com/advisories/46527\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://secunia.com/advisories/46528\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://secunia.com/advisories/50084\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2012-1232.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/46527\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/46528\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/50084\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
CERTA-2011-AVI-586
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans les produits Oracle.
Description
De multiples vulnérabilités ont été corrigées dans les produits Oracle. Elles peuvent notamment être exploitées pour porter atteinte à la confidentialité, l'intégrité ou la disponibilité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | N/A | Oracle Siebel CRM Core and Apps, versions 8.0.0, 8.1.1 ; | ||
| Oracle | N/A | Oracle Sun Product Suite ; | ||
| Oracle | N/A | Oracle Application Server 10g Release 3, version 10.1.3.5.0 ; | ||
| Oracle | N/A | Oracle Agile Product Supplier Collaboration for Process, versions 5.2.2, 6.0.0.2, 6.0.0.3, 6.0.0.4 ; | ||
| Oracle | N/A | Oracle Outside In Technology, versions 8.3.5, 8.3.7 ; | ||
| Oracle | N/A | Oracle Database 11g Release 2, version 11.2.0.2 ; | ||
| Oracle | N/A | Oracle Application Server 10g Release 2, version 10.1.2.3.0 ; | ||
| Oracle | N/A | Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 ; | ||
| Oracle | N/A | Oracle E-Business Suite Release 11i, version 11.5.10.2 ; | ||
| Oracle | N/A | Oracle Clinical, Remote Data Capture, versions 4.6, 4.6.2 ; | ||
| Oracle | Weblogic | Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5) ; | ||
| Oracle | N/A | Oracle Linux 5 ; | ||
| Oracle | N/A | Oracle Database 10g Release 1, version 10.1.0.5 ; | ||
| Oracle | N/A | Oracle Business Intelligence Enterprise Edition, versions 11.1.1.3, 11.1.1.5 ; | ||
| Oracle | N/A | Oracle Thesaurus Management System, versions 4.6.1, 4.6.2 ; | ||
| Oracle | N/A | Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.2, 12.1.3 ; | ||
| Oracle | N/A | Oracle Sun Ray ; | ||
| Oracle | PeopleSoft | Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51 ; | ||
| Oracle | Weblogic | Oracle WebLogic Portal, versions 9.2.3.0, 10.0.1.0, 10.2.1.0, 10.3.2.0 ; | ||
| Oracle | N/A | Oracle Database 11g Release 1, version 11.1.0.7 ; | ||
| Oracle | N/A | Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0 ; | ||
| Oracle | N/A | Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3 ; | ||
| Oracle | PeopleSoft | Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1 ; |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Siebel CRM Core and Apps, versions 8.0.0, 8.1.1 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Sun Product Suite ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Application Server 10g Release 3, version 10.1.3.5.0 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Agile Product Supplier Collaboration for Process, versions 5.2.2, 6.0.0.2, 6.0.0.3, 6.0.0.4 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Outside In Technology, versions 8.3.5, 8.3.7 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 11g Release 2, version 11.2.0.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Application Server 10g Release 2, version 10.1.2.3.0 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle E-Business Suite Release 11i, version 11.5.10.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Clinical, Remote Data Capture, versions 4.6, 4.6.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5) ;",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Linux 5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 10g Release 1, version 10.1.0.5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Business Intelligence Enterprise Edition, versions 11.1.1.3, 11.1.1.5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Thesaurus Management System, versions 4.6.1, 4.6.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.2, 12.1.3 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Sun Ray ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51 ;",
"product": {
"name": "PeopleSoft",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Portal, versions 9.2.3.0, 10.0.1.0, 10.2.1.0, 10.3.2.0 ;",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 11g Release 1, version 11.1.0.7 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1 ;",
"product": {
"name": "PeopleSoft",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nDe multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans les produits Oracle.\nElles peuvent notamment \u00eatre exploit\u00e9es pour porter atteinte \u00e0 la\nconfidentialit\u00e9, l\u0027int\u00e9grit\u00e9 ou la disponibilit\u00e9 des donn\u00e9es.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2011-2306",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2306"
},
{
"name": "CVE-2011-3532",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3532"
},
{
"name": "CVE-2011-3192",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3192"
},
{
"name": "CVE-2011-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3536"
},
{
"name": "CVE-2011-2292",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2292"
},
{
"name": "CVE-2011-2312",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2312"
},
{
"name": "CVE-2011-2301",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2301"
},
{
"name": "CVE-2011-3522",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3522"
},
{
"name": "CVE-2011-2313",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2313"
},
{
"name": "CVE-2011-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3517"
},
{
"name": "CVE-2011-2255",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2255"
},
{
"name": "CVE-2011-2316",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2316"
},
{
"name": "CVE-2011-3515",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3515"
},
{
"name": "CVE-2011-3511",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3511"
},
{
"name": "CVE-2011-3507",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3507"
},
{
"name": "CVE-2011-3519",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3519"
},
{
"name": "CVE-2011-3513",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3513"
},
{
"name": "CVE-2011-3535",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3535"
},
{
"name": "CVE-2011-2320",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2320"
},
{
"name": "CVE-2011-2308",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2308"
},
{
"name": "CVE-2011-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3510"
},
{
"name": "CVE-2011-2311",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2311"
},
{
"name": "CVE-2011-3518",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3518"
},
{
"name": "CVE-2011-3542",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3542"
},
{
"name": "CVE-2011-2304",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2304"
},
{
"name": "CVE-2011-3508",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3508"
},
{
"name": "CVE-2011-3534",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3534"
},
{
"name": "CVE-2011-2309",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2309"
},
{
"name": "CVE-2011-3530",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3530"
},
{
"name": "CVE-2011-3559",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3559"
},
{
"name": "CVE-2011-3512",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3512"
},
{
"name": "CVE-2011-2302",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2302"
},
{
"name": "CVE-2011-3528",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3528"
},
{
"name": "CVE-2011-2315",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2315"
},
{
"name": "CVE-2011-3506",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3506"
},
{
"name": "CVE-2011-3523",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3523"
},
{
"name": "CVE-2011-2323",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2323"
},
{
"name": "CVE-2011-3526",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3526"
},
{
"name": "CVE-2011-2310",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2310"
},
{
"name": "CVE-2011-2319",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2319"
},
{
"name": "CVE-2011-3520",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3520"
},
{
"name": "CVE-2011-3533",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3533"
},
{
"name": "CVE-2011-2303",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2303"
},
{
"name": "CVE-2011-3543",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3543"
},
{
"name": "CVE-2011-3525",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3525"
},
{
"name": "CVE-2011-2322",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2322"
},
{
"name": "CVE-2011-2314",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2314"
},
{
"name": "CVE-2011-2237",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2237"
},
{
"name": "CVE-2011-3538",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3538"
},
{
"name": "CVE-2011-3527",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3527"
},
{
"name": "CVE-2011-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2327"
},
{
"name": "CVE-2011-3537",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3537"
},
{
"name": "CVE-2011-3539",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3539"
},
{
"name": "CVE-2011-2318",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2318"
},
{
"name": "CVE-2011-2286",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2286"
},
{
"name": "CVE-2011-3541",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3541"
},
{
"name": "CVE-2011-3529",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3529"
}
],
"links": [],
"reference": "CERTA-2011-AVI-586",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2011-10-21T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans les produits Oracle.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Oracle",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle d\u0027octobre 2011",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
]
}
CERTA-2011-AVI-586
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans les produits Oracle.
Description
De multiples vulnérabilités ont été corrigées dans les produits Oracle. Elles peuvent notamment être exploitées pour porter atteinte à la confidentialité, l'intégrité ou la disponibilité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | N/A | Oracle Siebel CRM Core and Apps, versions 8.0.0, 8.1.1 ; | ||
| Oracle | N/A | Oracle Sun Product Suite ; | ||
| Oracle | N/A | Oracle Application Server 10g Release 3, version 10.1.3.5.0 ; | ||
| Oracle | N/A | Oracle Agile Product Supplier Collaboration for Process, versions 5.2.2, 6.0.0.2, 6.0.0.3, 6.0.0.4 ; | ||
| Oracle | N/A | Oracle Outside In Technology, versions 8.3.5, 8.3.7 ; | ||
| Oracle | N/A | Oracle Database 11g Release 2, version 11.2.0.2 ; | ||
| Oracle | N/A | Oracle Application Server 10g Release 2, version 10.1.2.3.0 ; | ||
| Oracle | N/A | Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 ; | ||
| Oracle | N/A | Oracle E-Business Suite Release 11i, version 11.5.10.2 ; | ||
| Oracle | N/A | Oracle Clinical, Remote Data Capture, versions 4.6, 4.6.2 ; | ||
| Oracle | Weblogic | Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5) ; | ||
| Oracle | N/A | Oracle Linux 5 ; | ||
| Oracle | N/A | Oracle Database 10g Release 1, version 10.1.0.5 ; | ||
| Oracle | N/A | Oracle Business Intelligence Enterprise Edition, versions 11.1.1.3, 11.1.1.5 ; | ||
| Oracle | N/A | Oracle Thesaurus Management System, versions 4.6.1, 4.6.2 ; | ||
| Oracle | N/A | Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.2, 12.1.3 ; | ||
| Oracle | N/A | Oracle Sun Ray ; | ||
| Oracle | PeopleSoft | Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51 ; | ||
| Oracle | Weblogic | Oracle WebLogic Portal, versions 9.2.3.0, 10.0.1.0, 10.2.1.0, 10.3.2.0 ; | ||
| Oracle | N/A | Oracle Database 11g Release 1, version 11.1.0.7 ; | ||
| Oracle | N/A | Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0 ; | ||
| Oracle | N/A | Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3 ; | ||
| Oracle | PeopleSoft | Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1 ; |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Siebel CRM Core and Apps, versions 8.0.0, 8.1.1 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Sun Product Suite ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Application Server 10g Release 3, version 10.1.3.5.0 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Agile Product Supplier Collaboration for Process, versions 5.2.2, 6.0.0.2, 6.0.0.3, 6.0.0.4 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Outside In Technology, versions 8.3.5, 8.3.7 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 11g Release 2, version 11.2.0.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Application Server 10g Release 2, version 10.1.2.3.0 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle E-Business Suite Release 11i, version 11.5.10.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Clinical, Remote Data Capture, versions 4.6, 4.6.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5) ;",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Linux 5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 10g Release 1, version 10.1.0.5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Business Intelligence Enterprise Edition, versions 11.1.1.3, 11.1.1.5 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Thesaurus Management System, versions 4.6.1, 4.6.2 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.2, 12.1.3 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Sun Ray ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51 ;",
"product": {
"name": "PeopleSoft",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Portal, versions 9.2.3.0, 10.0.1.0, 10.2.1.0, 10.3.2.0 ;",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database 11g Release 1, version 11.1.0.7 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3 ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1 ;",
"product": {
"name": "PeopleSoft",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nDe multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans les produits Oracle.\nElles peuvent notamment \u00eatre exploit\u00e9es pour porter atteinte \u00e0 la\nconfidentialit\u00e9, l\u0027int\u00e9grit\u00e9 ou la disponibilit\u00e9 des donn\u00e9es.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2011-2306",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2306"
},
{
"name": "CVE-2011-3532",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3532"
},
{
"name": "CVE-2011-3192",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3192"
},
{
"name": "CVE-2011-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3536"
},
{
"name": "CVE-2011-2292",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2292"
},
{
"name": "CVE-2011-2312",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2312"
},
{
"name": "CVE-2011-2301",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2301"
},
{
"name": "CVE-2011-3522",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3522"
},
{
"name": "CVE-2011-2313",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2313"
},
{
"name": "CVE-2011-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3517"
},
{
"name": "CVE-2011-2255",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2255"
},
{
"name": "CVE-2011-2316",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2316"
},
{
"name": "CVE-2011-3515",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3515"
},
{
"name": "CVE-2011-3511",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3511"
},
{
"name": "CVE-2011-3507",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3507"
},
{
"name": "CVE-2011-3519",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3519"
},
{
"name": "CVE-2011-3513",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3513"
},
{
"name": "CVE-2011-3535",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3535"
},
{
"name": "CVE-2011-2320",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2320"
},
{
"name": "CVE-2011-2308",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2308"
},
{
"name": "CVE-2011-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3510"
},
{
"name": "CVE-2011-2311",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2311"
},
{
"name": "CVE-2011-3518",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3518"
},
{
"name": "CVE-2011-3542",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3542"
},
{
"name": "CVE-2011-2304",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2304"
},
{
"name": "CVE-2011-3508",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3508"
},
{
"name": "CVE-2011-3534",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3534"
},
{
"name": "CVE-2011-2309",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2309"
},
{
"name": "CVE-2011-3530",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3530"
},
{
"name": "CVE-2011-3559",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3559"
},
{
"name": "CVE-2011-3512",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3512"
},
{
"name": "CVE-2011-2302",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2302"
},
{
"name": "CVE-2011-3528",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3528"
},
{
"name": "CVE-2011-2315",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2315"
},
{
"name": "CVE-2011-3506",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3506"
},
{
"name": "CVE-2011-3523",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3523"
},
{
"name": "CVE-2011-2323",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2323"
},
{
"name": "CVE-2011-3526",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3526"
},
{
"name": "CVE-2011-2310",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2310"
},
{
"name": "CVE-2011-2319",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2319"
},
{
"name": "CVE-2011-3520",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3520"
},
{
"name": "CVE-2011-3533",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3533"
},
{
"name": "CVE-2011-2303",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2303"
},
{
"name": "CVE-2011-3543",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3543"
},
{
"name": "CVE-2011-3525",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3525"
},
{
"name": "CVE-2011-2322",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2322"
},
{
"name": "CVE-2011-2314",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2314"
},
{
"name": "CVE-2011-2237",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2237"
},
{
"name": "CVE-2011-3538",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3538"
},
{
"name": "CVE-2011-3527",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3527"
},
{
"name": "CVE-2011-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2327"
},
{
"name": "CVE-2011-3537",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3537"
},
{
"name": "CVE-2011-3539",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3539"
},
{
"name": "CVE-2011-2318",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2318"
},
{
"name": "CVE-2011-2286",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-2286"
},
{
"name": "CVE-2011-3541",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3541"
},
{
"name": "CVE-2011-3529",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3529"
}
],
"links": [],
"reference": "CERTA-2011-AVI-586",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2011-10-21T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans les produits Oracle.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Oracle",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle d\u0027octobre 2011",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
]
}
FKIE_CVE-2011-3506
Vulnerability from fkie_nvd - Published: 2011-10-18 22:55 - Updated: 2026-04-29 01:13
Severity
Summary
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | sun_products_suite | 7.1 | |
| oracle | sun_products_suite | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:sun_products_suite:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5250033-4703-46A4-B3D3-101BD7D90E6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:sun_products_suite:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "35BA375D-067F-4FFD-B12C-A19FF9E3EEA5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en el componente Oracle OpenSSO de Oracle Sun Products Suite v7.1 y v8.0 permite a atacantes remotos comprometer la integridad a trav\u00e9s de vectores desconocidos relacionados con Authentication."
}
],
"id": "CVE-2011-3506",
"lastModified": "2026-04-29T01:13:23.040",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-10-18T22:55:03.057",
"references": [
{
"source": "secalert_us@oracle.com",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"source": "secalert_us@oracle.com",
"url": "http://secunia.com/advisories/46527"
},
{
"source": "secalert_us@oracle.com",
"url": "http://secunia.com/advisories/46528"
},
{
"source": "secalert_us@oracle.com",
"url": "http://secunia.com/advisories/50084"
},
{
"source": "secalert_us@oracle.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/46527"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/46528"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/50084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"sourceIdentifier": "secalert_us@oracle.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-F8V7-6HPH-CVQJ
Vulnerability from github – Published: 2022-05-17 05:18 – Updated: 2022-05-17 05:18
VLAI
Details
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.
{
"affected": [],
"aliases": [
"CVE-2011-3506"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-10-18T22:55:00Z",
"severity": "MODERATE"
},
"details": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.",
"id": "GHSA-f8v7-6hph-cvqj",
"modified": "2022-05-17T05:18:41Z",
"published": "2022-05-17T05:18:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3506"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/46527"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/46528"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50084"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2011-3506
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2011-3506",
"description": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.",
"id": "GSD-2011-3506",
"references": [
"https://access.redhat.com/errata/RHSA-2012:1125"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2011-3506"
],
"details": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.",
"id": "GSD-2011-3506",
"modified": "2023-12-13T01:19:09.850754Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2011-3506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46527",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46527"
},
{
"name": "46528",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46528"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"name": "50084",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/50084"
},
{
"name": "RHSA-2012:1232",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:sun_products_suite:7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:sun_products_suite:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2011-3506"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"name": "46527",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/46527"
},
{
"name": "46528",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/46528"
},
{
"name": "RHSA-2012:1232",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"name": "50084",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/50084"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2012-11-27T04:34Z",
"publishedDate": "2011-10-18T22:55Z"
}
}
}
RHSA-2012:1125
Vulnerability from csaf_redhat - Published: 2012-07-31 14:24 - Updated: 2026-05-14 22:16Summary
Red Hat Security Advisory: JBoss Enterprise SOA Platform 5.3.0 update
Severity
Important
Notes
Topic: JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure.
This release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement
for JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and
enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/
The following security issues are also fixed with this release:
It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)
A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, randomization
has been added to the hash function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2011-4838)
Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of
the scripting_chain quickstart example application. The CVE-2011-4838 flaw
is not exposed unless the version of JRuby shipped with that quickstart is
used by a deployed, custom application.
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. The fix for this issue is not
enabled by default. Refer to the Solution section for details.
(CVE-2012-0818)
Multiple flaws were found in the Oracle OpenSSO authentication and
administration components. A remote attacker could use these flaws to
affect the integrity and availability of a service that uses Oracle
OpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)
Note: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of
the opensso quickstart example application. The CVE-2011-3506,
CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso
quickstart example application is deployed, or you have created and
deployed a custom application that is packaged with a copy of Oracle
OpenSSO as provided by the opensso quickstart.
The opensso quickstart has been removed in this release to address these
flaws. Users interested in continuing to receive updates for their custom
applications using Oracle OpenSSO are advised to contact Oracle as Red Hat
is no longer supporting OpenSSO.
When a JGroups channel is started, the JGroups diagnostics service would be
enabled by default with no authentication. This service is exposed via IP
multicast. An attacker on an adjacent network could exploit this flaw to
read diagnostics information. (CVE-2012-2377)
Red Hat would like to thank Christian Schlüter (VIADA) for reporting
CVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT
acknowledges Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4838.
Warning: Before installing version 5.3.0, back up your existing JBoss
Enterprise SOA Platform installation (including its databases,
applications, configuration files, and so on).
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.
2.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication.
4.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.
7.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Administration.
2.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.
4.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.
3.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
References
50 references
Acknowledgments
VIADA
Christian Schlüter
oCERT
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Enterprise SOA Platform is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement\nfor JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and\nenhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0\nRelease Notes. The Release Notes will be available shortly from\nhttps://access.redhat.com/knowledge/docs/\n\nThe following security issues are also fixed with this release:\n\nIt was found that the JBoss JNDI service allowed unauthenticated, remote\nwrite access by default. The JNDI and HA-JNDI services, and the\nHAJNDIFactory invoker servlet were all affected. A remote attacker able to\naccess the JNDI service (port 1099), HA-JNDI service (port 1100), or the\nHAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,\ndelete, and modify items in the JNDI tree. This could have various,\napplication-specific impacts. (CVE-2011-4605)\n\nA denial of service flaw was found in the implementation of associative\narrays (hashes) in JRuby. An attacker able to supply a large number of\ninputs to a JRuby application (such as HTTP POST request parameters sent to\na web application) that are used as keys when inserting data into an array\ncould trigger multiple hash function collisions, making array operations\ntake an excessive amount of CPU time. To mitigate this issue, randomization\nhas been added to the hash function to reduce the chance of an attacker\nsuccessfully causing intentional collisions. (CVE-2011-4838)\n\nNote: JBoss Enterprise SOA Platform only provides JRuby as a dependency of\nthe scripting_chain quickstart example application. The CVE-2011-4838 flaw\nis not exposed unless the version of JRuby shipped with that quickstart is\nused by a deployed, custom application.\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. The fix for this issue is not\nenabled by default. Refer to the Solution section for details.\n(CVE-2012-0818)\n\nMultiple flaws were found in the Oracle OpenSSO authentication and\nadministration components. A remote attacker could use these flaws to\naffect the integrity and availability of a service that uses Oracle\nOpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)\n\nNote: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of\nthe opensso quickstart example application. The CVE-2011-3506,\nCVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso\nquickstart example application is deployed, or you have created and\ndeployed a custom application that is packaged with a copy of Oracle\nOpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in this release to address these\nflaws. Users interested in continuing to receive updates for their custom\napplications using Oracle OpenSSO are advised to contact Oracle as Red Hat\nis no longer supporting OpenSSO.\n\nWhen a JGroups channel is started, the JGroups diagnostics service would be\nenabled by default with no authentication. This service is exposed via IP\nmulticast. An attacker on an adjacent network could exploit this flaw to\nread diagnostics information. (CVE-2012-2377)\n\nRed Hat would like to thank Christian Schl\u00fcter (VIADA) for reporting\nCVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT\nacknowledges Julian W\u00e4lde and Alexander Klink as the original reporters of\nCVE-2011-4838.\n\nWarning: Before installing version 5.3.0, back up your existing JBoss\nEnterprise SOA Platform installation (including its databases,\napplications, configuration files, and so on).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1125",
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/knowledge/docs/",
"url": "https://access.redhat.com/knowledge/docs/"
},
{
"category": "external",
"summary": "749078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749078"
},
{
"category": "external",
"summary": "749079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749079"
},
{
"category": "external",
"summary": "766469",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=766469"
},
{
"category": "external",
"summary": "770820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=770820"
},
{
"category": "external",
"summary": "783898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783898"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "823392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=823392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1125.json"
}
],
"title": "Red Hat Security Advisory: JBoss Enterprise SOA Platform 5.3.0 update",
"tracking": {
"current_release_date": "2026-05-14T22:16:47+00:00",
"generator": {
"date": "2026-05-14T22:16:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2012:1125",
"initial_release_date": "2012-07-31T14:24:00+00:00",
"revision_history": [
{
"date": "2012-07-31T14:24:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-07-31T14:32:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:16:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_soa_platform:5.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-3506",
"discovery_date": "2011-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "749078"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: unspecified vulnerability in the authentication component",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-3506"
},
{
"category": "external",
"summary": "RHBZ#749078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749078"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-3506",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3506"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"release_date": "2011-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: unspecified vulnerability in the authentication component"
},
{
"cve": "CVE-2011-3517",
"discovery_date": "2011-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "749079"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: unspecified vulnerability in the authentication component",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-3517"
},
{
"category": "external",
"summary": "RHBZ#749079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749079"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3517"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3517"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"release_date": "2011-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: unspecified vulnerability in the authentication component"
},
{
"acknowledgments": [
{
"names": [
"Christian Schl\u00fcter"
],
"organization": "VIADA"
}
],
"cve": "CVE-2011-4605",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2011-12-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "766469"
}
],
"notes": [
{
"category": "description",
"text": "The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JNDI: unauthenticated remote write access is permitted by default",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-4605"
},
{
"category": "external",
"summary": "RHBZ#766469",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=766469"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-4605",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4605"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4605",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4605"
}
],
"release_date": "2012-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JNDI: unauthenticated remote write access is permitted by default"
},
{
"acknowledgments": [
{
"names": [
"oCERT"
]
}
],
"cve": "CVE-2011-4838",
"discovery_date": "2011-11-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "770820"
}
],
"notes": [
{
"category": "description",
"text": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jruby: hash table collisions DoS (oCERT-2011-003)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-4838"
},
{
"category": "external",
"summary": "RHBZ#770820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=770820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-4838",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4838"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4838",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4838"
}
],
"release_date": "2011-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jruby: hash table collisions DoS (oCERT-2011-003)"
},
{
"cve": "CVE-2011-5245",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-5245"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-5245"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-0079",
"discovery_date": "2012-01-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "783898"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Administration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0079"
},
{
"category": "external",
"summary": "RHBZ#783898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783898"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0079",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0079"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0079",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0079"
}
],
"release_date": "2012-01-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors"
},
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-1167",
"discovery_date": "2012-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "802622"
}
],
"notes": [
{
"category": "description",
"text": "The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-1167"
},
{
"category": "external",
"summary": "RHBZ#802622",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=802622"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-1167",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-1167"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-1167",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1167"
}
],
"release_date": "2012-06-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm"
},
{
"acknowledgments": [
{
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2012-2377",
"discovery_date": "2012-05-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "823392"
}
],
"notes": [
{
"category": "description",
"text": "JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-2377"
},
{
"category": "external",
"summary": "RHBZ#823392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=823392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-2377",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2377"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-2377",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2377"
}
],
"release_date": "2012-06-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started"
}
]
}
RHSA-2012_1125
Vulnerability from csaf_redhat - Published: 2012-07-31 14:24 - Updated: 2024-11-22 05:43Summary
Red Hat Security Advisory: JBoss Enterprise SOA Platform 5.3.0 update
Severity
Important
Notes
Topic: JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: JBoss Enterprise SOA Platform is the next-generation ESB and business
process automation infrastructure.
This release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement
for JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and
enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/
The following security issues are also fixed with this release:
It was found that the JBoss JNDI service allowed unauthenticated, remote
write access by default. The JNDI and HA-JNDI services, and the
HAJNDIFactory invoker servlet were all affected. A remote attacker able to
access the JNDI service (port 1099), HA-JNDI service (port 1100), or the
HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,
delete, and modify items in the JNDI tree. This could have various,
application-specific impacts. (CVE-2011-4605)
A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, randomization
has been added to the hash function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2011-4838)
Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of
the scripting_chain quickstart example application. The CVE-2011-4838 flaw
is not exposed unless the version of JRuby shipped with that quickstart is
used by a deployed, custom application.
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. The fix for this issue is not
enabled by default. Refer to the Solution section for details.
(CVE-2012-0818)
Multiple flaws were found in the Oracle OpenSSO authentication and
administration components. A remote attacker could use these flaws to
affect the integrity and availability of a service that uses Oracle
OpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)
Note: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of
the opensso quickstart example application. The CVE-2011-3506,
CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso
quickstart example application is deployed, or you have created and
deployed a custom application that is packaged with a copy of Oracle
OpenSSO as provided by the opensso quickstart.
The opensso quickstart has been removed in this release to address these
flaws. Users interested in continuing to receive updates for their custom
applications using Oracle OpenSSO are advised to contact Oracle as Red Hat
is no longer supporting OpenSSO.
When a JGroups channel is started, the JGroups diagnostics service would be
enabled by default with no authentication. This service is exposed via IP
multicast. An attacker on an adjacent network could exploit this flaw to
read diagnostics information. (CVE-2012-2377)
Red Hat would like to thank Christian Schlüter (VIADA) for reporting
CVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT
acknowledges Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4838.
Warning: Before installing version 5.3.0, back up your existing JBoss
Enterprise SOA Platform installation (including its databases,
applications, configuration files, and so on).
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.
2.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication.
4.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.
7.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Administration.
2.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.
4.6 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.
3.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss Middleware
|
cpe:/a:redhat:jboss_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
References
50 references
Acknowledgments
VIADA
Christian Schlüter
oCERT
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Enterprise SOA Platform is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement\nfor JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and\nenhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0\nRelease Notes. The Release Notes will be available shortly from\nhttps://access.redhat.com/knowledge/docs/\n\nThe following security issues are also fixed with this release:\n\nIt was found that the JBoss JNDI service allowed unauthenticated, remote\nwrite access by default. The JNDI and HA-JNDI services, and the\nHAJNDIFactory invoker servlet were all affected. A remote attacker able to\naccess the JNDI service (port 1099), HA-JNDI service (port 1100), or the\nHAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,\ndelete, and modify items in the JNDI tree. This could have various,\napplication-specific impacts. (CVE-2011-4605)\n\nA denial of service flaw was found in the implementation of associative\narrays (hashes) in JRuby. An attacker able to supply a large number of\ninputs to a JRuby application (such as HTTP POST request parameters sent to\na web application) that are used as keys when inserting data into an array\ncould trigger multiple hash function collisions, making array operations\ntake an excessive amount of CPU time. To mitigate this issue, randomization\nhas been added to the hash function to reduce the chance of an attacker\nsuccessfully causing intentional collisions. (CVE-2011-4838)\n\nNote: JBoss Enterprise SOA Platform only provides JRuby as a dependency of\nthe scripting_chain quickstart example application. The CVE-2011-4838 flaw\nis not exposed unless the version of JRuby shipped with that quickstart is\nused by a deployed, custom application.\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. The fix for this issue is not\nenabled by default. Refer to the Solution section for details.\n(CVE-2012-0818)\n\nMultiple flaws were found in the Oracle OpenSSO authentication and\nadministration components. A remote attacker could use these flaws to\naffect the integrity and availability of a service that uses Oracle\nOpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079)\n\nNote: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of\nthe opensso quickstart example application. The CVE-2011-3506,\nCVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso\nquickstart example application is deployed, or you have created and\ndeployed a custom application that is packaged with a copy of Oracle\nOpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in this release to address these\nflaws. Users interested in continuing to receive updates for their custom\napplications using Oracle OpenSSO are advised to contact Oracle as Red Hat\nis no longer supporting OpenSSO.\n\nWhen a JGroups channel is started, the JGroups diagnostics service would be\nenabled by default with no authentication. This service is exposed via IP\nmulticast. An attacker on an adjacent network could exploit this flaw to\nread diagnostics information. (CVE-2012-2377)\n\nRed Hat would like to thank Christian Schl\u00fcter (VIADA) for reporting\nCVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT\nacknowledges Julian W\u00e4lde and Alexander Klink as the original reporters of\nCVE-2011-4838.\n\nWarning: Before installing version 5.3.0, back up your existing JBoss\nEnterprise SOA Platform installation (including its databases,\napplications, configuration files, and so on).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1125",
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html"
},
{
"category": "external",
"summary": "785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://access.redhat.com/knowledge/docs/",
"url": "https://access.redhat.com/knowledge/docs/"
},
{
"category": "external",
"summary": "749078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749078"
},
{
"category": "external",
"summary": "749079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749079"
},
{
"category": "external",
"summary": "766469",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=766469"
},
{
"category": "external",
"summary": "770820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=770820"
},
{
"category": "external",
"summary": "783898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783898"
},
{
"category": "external",
"summary": "823392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=823392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1125.json"
}
],
"title": "Red Hat Security Advisory: JBoss Enterprise SOA Platform 5.3.0 update",
"tracking": {
"current_release_date": "2024-11-22T05:43:20+00:00",
"generator": {
"date": "2024-11-22T05:43:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2012:1125",
"initial_release_date": "2012-07-31T14:24:00+00:00",
"revision_history": [
{
"date": "2012-07-31T14:24:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-07-31T14:32:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T05:43:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_soa_platform:5.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-3506",
"discovery_date": "2011-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "749078"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: unspecified vulnerability in the authentication component",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-3506"
},
{
"category": "external",
"summary": "RHBZ#749078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749078"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-3506",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3506"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"release_date": "2011-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: unspecified vulnerability in the authentication component"
},
{
"cve": "CVE-2011-3517",
"discovery_date": "2011-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "749079"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: unspecified vulnerability in the authentication component",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-3517"
},
{
"category": "external",
"summary": "RHBZ#749079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=749079"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3517"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3517"
},
{
"category": "external",
"summary": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html"
}
],
"release_date": "2011-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: unspecified vulnerability in the authentication component"
},
{
"acknowledgments": [
{
"names": [
"Christian Schl\u00fcter"
],
"organization": "VIADA"
}
],
"cve": "CVE-2011-4605",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2011-12-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "766469"
}
],
"notes": [
{
"category": "description",
"text": "The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JNDI: unauthenticated remote write access is permitted by default",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-4605"
},
{
"category": "external",
"summary": "RHBZ#766469",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=766469"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-4605",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4605"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4605",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4605"
}
],
"release_date": "2012-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JNDI: unauthenticated remote write access is permitted by default"
},
{
"acknowledgments": [
{
"names": [
"oCERT"
]
}
],
"cve": "CVE-2011-4838",
"discovery_date": "2011-11-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "770820"
}
],
"notes": [
{
"category": "description",
"text": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jruby: hash table collisions DoS (oCERT-2011-003)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-4838"
},
{
"category": "external",
"summary": "RHBZ#770820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=770820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-4838",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4838"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4838",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4838"
}
],
"release_date": "2011-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jruby: hash table collisions DoS (oCERT-2011-003)"
},
{
"cve": "CVE-2011-5245",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2011-5245"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-5245"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-0079",
"discovery_date": "2012-01-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "783898"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Administration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Oracle OpenSSO is provided as part of the opensso quickstart example application shipped with JBoss Enterprise SOA Platform 5. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart.\n\nThe opensso quickstart has been removed in JBoss Enterprise SOA Platform 5.3.0 to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0079"
},
{
"category": "external",
"summary": "RHBZ#783898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783898"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0079",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0079"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0079",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0079"
}
],
"release_date": "2012-01-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors"
},
{
"cve": "CVE-2012-0818",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2012-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "785631"
}
],
"notes": [
{
"category": "description",
"text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: XML eXternal Entity (XXE) flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0818"
},
{
"category": "external",
"summary": "RHBZ#785631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818"
}
],
"release_date": "2011-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "RESTEasy: XML eXternal Entity (XXE) flaw"
},
{
"cve": "CVE-2012-1167",
"discovery_date": "2012-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "802622"
}
],
"notes": [
{
"category": "description",
"text": "The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-1167"
},
{
"category": "external",
"summary": "RHBZ#802622",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=802622"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-1167",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-1167"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-1167",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1167"
}
],
"release_date": "2012-06-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm"
},
{
"acknowledgments": [
{
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2012-2377",
"discovery_date": "2012-05-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "823392"
}
],
"notes": [
{
"category": "description",
"text": "JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-2377"
},
{
"category": "external",
"summary": "RHBZ#823392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=823392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-2377",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2377"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-2377",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2377"
}
],
"release_date": "2012-06-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-07-31T14:24:00+00:00",
"details": "All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform\n5.3.0.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the new version). Before installing version 5.3.0, back\nup your existing JBoss Enterprise SOA Platform installation (including its\ndatabases, applications, configuration files, and so on).\n\nThe fix for CVE-2012-0818 is not enabled by default. This update adds a new\nconfiguration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1125"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…