cvelistv5 - cve-2014-3518

CVE-2014-3518 (GCVE-0-2014-3518)

Vulnerability from cvelistv5 – Published: 2014-07-22 20:00 – Updated: 2024-08-06 10:43

Summary

jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

FKIE_CVE-2014-3518

Vulnerability from fkie_nvd - Published: 2014-07-22 20:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

	URL	Tags
	secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2014-0887.html	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0887.html	Vendor Advisory

Impacted products

Vendor	Product	Version
redhat	jboss_enterprise_application_platform	5.2.0
redhat	jboss_enterprise_brms_platform	5.3.1
redhat	jboss_enterprise_portal_platform	5.2.2
redhat	jboss_enterprise_soa_platform	5.3.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "46849C8D-36E9-4E97-BB49-E04F4EB199E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6B1CE36-5131-425D-90BD-FC597F27B3E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "93B87581-F441-4A93-B797-337B7572CC08",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors."
    },
    {
      "lang": "es",
      "value": "jmx-remoting.sar en JBoss Remoting, utilizado en Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2 y Red Hat JBoss SOA Platform 5.3.1, no implementa debidamente la especificaci\u00f3n JSR 160, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados."
    }
  ],
  "id": "CVE-2014-3518",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-07-22T20:55:01.843",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-X7HH-CW6H-X3Q4

Vulnerability from github – Published: 2022-05-17 04:39 – Updated: 2022-05-17 04:39

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-3518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-07-22T20:55:00Z",
    "severity": "MODERATE"
  },
  "details": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.",
  "id": "GHSA-x7hh-cw6h-x3q4",
  "modified": "2022-05-17T04:39:23Z",
  "published": "2022-05-17T04:39:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3518"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

RHSA-2014_0887

Vulnerability from csaf_redhat - Published: 2014-07-16 04:38 - Updated: 2024-11-22 08:10

Summary

Red Hat Security Advisory: JBoss Remoting security update

Notes

Topic

This advisory contains instructions on how to resolve one security issue found in the JBoss Remoting component, which is included in Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1. The Red Hat Security Response Team has rated this security issue as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

JBoss Remoting is a stand-alone project that provides an API for making remote invocations using pluggable transports and data marshallers. JBoss Application Server 5 and supported Red Hat JBoss 5.x products contain JBoss Remoting, which includes a partial implementation of the JMX remoting specification JSR 160. This implementation is provided in jmx-remoting.sar, which is deployed by default in unsupported community releases of JBoss Application Server 5.x. This implementation does not implement security as defined in JSR 160, and therefore does not apply any authentication or authorization constraints. A remote attacker could use this flaw to potentially execute arbitrary code on a vulnerable server. All of the supported Red Hat JBoss 5.x products are not affected by this issue in their default configuration. These products are only vulnerable if JMX remoting is enabled by manually deploying jmx-remoting.sar from the jboss-as/docs/examples directory. Unsupported community releases of JBoss Application Server 5.x are affected. All users of the standalone JBoss Remoting project are also affected. (CVE-2014-3518) Red Hat would like to thank Harun ESUR of Sceptive for reporting this issue. All users of Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat Customer Portal who have jmx-remoting.sar deployed are advised to follow the instructions provided in the Solution section of this advisory.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "This advisory contains instructions on how to resolve one security issue\nfound in the JBoss Remoting component, which is included in Red Hat JBoss\nEnterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat\nJBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1.\n\nThe Red Hat Security Response Team has rated this security issue as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss Remoting is a stand-alone project that provides an API for making\nremote invocations using pluggable transports and data marshallers.\n\nJBoss Application Server 5 and supported Red Hat JBoss 5.x products contain\nJBoss Remoting, which includes a partial implementation of the JMX remoting\nspecification JSR 160. This implementation is provided in jmx-remoting.sar,\nwhich is deployed by default in unsupported community releases of JBoss\nApplication Server 5.x. This implementation does not implement security as\ndefined in JSR 160, and therefore does not apply any authentication or\nauthorization constraints. A remote attacker could use this flaw to\npotentially execute arbitrary code on a vulnerable server. All of the\nsupported Red Hat JBoss 5.x products are not affected by this issue in\ntheir default configuration. These products are only vulnerable if JMX\nremoting is enabled by manually deploying jmx-remoting.sar from the\njboss-as/docs/examples directory. Unsupported community releases of JBoss\nApplication Server 5.x are affected. All users of the standalone JBoss\nRemoting project are also affected. (CVE-2014-3518)\n\nRed Hat would like to thank Harun ESUR of Sceptive for reporting this\nissue.\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat\nJBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss\nSOA Platform 5.3.1 as provided from the Red Hat Customer Portal who have\njmx-remoting.sar deployed are advised to follow the instructions provided\nin the Solution section of this advisory.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0887",
        "url": "https://access.redhat.com/errata/RHSA-2014:0887"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/238943",
        "url": "https://access.redhat.com/solutions/238943"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1120423",
        "url": "https://access.redhat.com/solutions/1120423"
      },
      {
        "category": "external",
        "summary": "1112545",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112545"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0887.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Remoting security update",
    "tracking": {
      "current_release_date": "2024-11-22T08:10:53+00:00",
      "generator": {
        "date": "2024-11-22T08:10:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:0887",
      "initial_release_date": "2014-07-16T04:38:08+00:00",
      "revision_history": [
        {
          "date": "2014-07-16T04:38:08+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-06-15T16:41:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T08:10:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 5.2",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 5.2",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "JBoss Enterprise BRMS Platform 5.3",
                "product": {
                  "name": "JBoss Enterprise BRMS Platform 5.3",
                  "product_id": "JBoss Enterprise BRMS Platform 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Portal 5.2",
                "product": {
                  "name": "Red Hat JBoss Portal 5.2",
                  "product_id": "Red Hat JBoss Portal 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss SOA Platform 5.3",
                "product": {
                  "name": "Red Hat JBoss SOA Platform 5.3",
                  "product_id": "Red Hat JBoss SOA Platform 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Harun ESUR"
          ],
          "organization": "Sceptive"
        }
      ],
      "cve": "CVE-2014-3518",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2014-06-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1112545"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "JBoss Application Server 5 and supported Red Hat JBoss 5.x products contain JBoss Remoting, which includes a partial implementation of the JMX remoting specification JSR 160. This implementation is provided in jmx-remoting.sar, which is deployed by default in unsupported community releases of JBoss Application Server 5.x. This implementation does not implement security as defined in JSR 160, and therefore does not apply any authentication or authorization constraints. A remote attacker could use this flaw to potentially execute arbitrary code on a vulnerable server. All of the supported Red Hat JBoss 5.x products are not affected by this issue in their default configuration. These products are only vulnerable if JMX remoting is enabled by manually deploying jmx-remoting.sar from the jboss-as/docs/examples directory. Unsupported community releases of JBoss Application Server 5.x are affected. All users of the standalone JBoss Remoting project are also affected.\r\n\r\nFor more information, see https://access.redhat.com/solutions/1120423",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "5: Remote code execution via unauthenticated JMX/RMI connector",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "JBoss Enterprise BRMS Platform 5.3",
          "Red Hat JBoss Enterprise Application Platform 5.2",
          "Red Hat JBoss Portal 5.2",
          "Red Hat JBoss SOA Platform 5.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3518"
        },
        {
          "category": "external",
          "summary": "RHBZ#1112545",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112545"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3518"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/1120423",
          "url": "https://access.redhat.com/solutions/1120423"
        }
      ],
      "release_date": "2014-07-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-07-16T04:38:08+00:00",
          "details": "In case your server is affected, undeploy jmx-remoting.sar if JMX remoting\nis not required by your applications. If your applications do require it,\nsecure JMX remoting by following the instructions at\nhttps://access.redhat.com/solutions/238943\n\nFor more information, see https://access.redhat.com/solutions/1120423",
          "product_ids": [
            "JBoss Enterprise BRMS Platform 5.3",
            "Red Hat JBoss Enterprise Application Platform 5.2",
            "Red Hat JBoss Portal 5.2",
            "Red Hat JBoss SOA Platform 5.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0887"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "JBoss Enterprise BRMS Platform 5.3",
            "Red Hat JBoss Enterprise Application Platform 5.2",
            "Red Hat JBoss Portal 5.2",
            "Red Hat JBoss SOA Platform 5.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "5: Remote code execution via unauthenticated JMX/RMI connector"
    }
  ]
}

RHSA-2014:0887

Vulnerability from csaf_redhat - Published: 2014-07-16 04:38 - Updated: 2025-11-21 17:49

Summary

Red Hat Security Advisory: JBoss Remoting security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "This advisory contains instructions on how to resolve one security issue\nfound in the JBoss Remoting component, which is included in Red Hat JBoss\nEnterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat\nJBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1.\n\nThe Red Hat Security Response Team has rated this security issue as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss Remoting is a stand-alone project that provides an API for making\nremote invocations using pluggable transports and data marshallers.\n\nJBoss Application Server 5 and supported Red Hat JBoss 5.x products contain\nJBoss Remoting, which includes a partial implementation of the JMX remoting\nspecification JSR 160. This implementation is provided in jmx-remoting.sar,\nwhich is deployed by default in unsupported community releases of JBoss\nApplication Server 5.x. This implementation does not implement security as\ndefined in JSR 160, and therefore does not apply any authentication or\nauthorization constraints. A remote attacker could use this flaw to\npotentially execute arbitrary code on a vulnerable server. All of the\nsupported Red Hat JBoss 5.x products are not affected by this issue in\ntheir default configuration. These products are only vulnerable if JMX\nremoting is enabled by manually deploying jmx-remoting.sar from the\njboss-as/docs/examples directory. Unsupported community releases of JBoss\nApplication Server 5.x are affected. All users of the standalone JBoss\nRemoting project are also affected. (CVE-2014-3518)\n\nRed Hat would like to thank Harun ESUR of Sceptive for reporting this\nissue.\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat\nJBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss\nSOA Platform 5.3.1 as provided from the Red Hat Customer Portal who have\njmx-remoting.sar deployed are advised to follow the instructions provided\nin the Solution section of this advisory.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0887",
        "url": "https://access.redhat.com/errata/RHSA-2014:0887"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/238943",
        "url": "https://access.redhat.com/solutions/238943"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1120423",
        "url": "https://access.redhat.com/solutions/1120423"
      },
      {
        "category": "external",
        "summary": "1112545",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112545"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0887.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Remoting security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:49:10+00:00",
      "generator": {
        "date": "2025-11-21T17:49:10+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2014:0887",
      "initial_release_date": "2014-07-16T04:38:08+00:00",
      "revision_history": [
        {
          "date": "2014-07-16T04:38:08+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-06-15T16:41:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:49:10+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 5.2",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 5.2",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "JBoss Enterprise BRMS Platform 5.3",
                "product": {
                  "name": "JBoss Enterprise BRMS Platform 5.3",
                  "product_id": "JBoss Enterprise BRMS Platform 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Portal 5.2",
                "product": {
                  "name": "Red Hat JBoss Portal 5.2",
                  "product_id": "Red Hat JBoss Portal 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss SOA Platform 5.3",
                "product": {
                  "name": "Red Hat JBoss SOA Platform 5.3",
                  "product_id": "Red Hat JBoss SOA Platform 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Harun ESUR"
          ],
          "organization": "Sceptive"
        }
      ],
      "cve": "CVE-2014-3518",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2014-06-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1112545"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "JBoss Application Server 5 and supported Red Hat JBoss 5.x products contain JBoss Remoting, which includes a partial implementation of the JMX remoting specification JSR 160. This implementation is provided in jmx-remoting.sar, which is deployed by default in unsupported community releases of JBoss Application Server 5.x. This implementation does not implement security as defined in JSR 160, and therefore does not apply any authentication or authorization constraints. A remote attacker could use this flaw to potentially execute arbitrary code on a vulnerable server. All of the supported Red Hat JBoss 5.x products are not affected by this issue in their default configuration. These products are only vulnerable if JMX remoting is enabled by manually deploying jmx-remoting.sar from the jboss-as/docs/examples directory. Unsupported community releases of JBoss Application Server 5.x are affected. All users of the standalone JBoss Remoting project are also affected.\r\n\r\nFor more information, see https://access.redhat.com/solutions/1120423",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "5: Remote code execution via unauthenticated JMX/RMI connector",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "JBoss Enterprise BRMS Platform 5.3",
          "Red Hat JBoss Enterprise Application Platform 5.2",
          "Red Hat JBoss Portal 5.2",
          "Red Hat JBoss SOA Platform 5.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3518"
        },
        {
          "category": "external",
          "summary": "RHBZ#1112545",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112545"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3518"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/1120423",
          "url": "https://access.redhat.com/solutions/1120423"
        }
      ],
      "release_date": "2014-07-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-07-16T04:38:08+00:00",
          "details": "In case your server is affected, undeploy jmx-remoting.sar if JMX remoting\nis not required by your applications. If your applications do require it,\nsecure JMX remoting by following the instructions at\nhttps://access.redhat.com/solutions/238943\n\nFor more information, see https://access.redhat.com/solutions/1120423",
          "product_ids": [
            "JBoss Enterprise BRMS Platform 5.3",
            "Red Hat JBoss Enterprise Application Platform 5.2",
            "Red Hat JBoss Portal 5.2",
            "Red Hat JBoss SOA Platform 5.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0887"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "JBoss Enterprise BRMS Platform 5.3",
            "Red Hat JBoss Enterprise Application Platform 5.2",
            "Red Hat JBoss Portal 5.2",
            "Red Hat JBoss SOA Platform 5.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "5: Remote code execution via unauthenticated JMX/RMI connector"
    }
  ]
}

GSD-2014-3518

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-3518

Aliases

CVE-2014-3518

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-3518",
    "description": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.",
    "id": "GSD-2014-3518",
    "references": [
      "https://access.redhat.com/errata/RHSA-2014:0887"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-3518"
      ],
      "details": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.",
      "id": "GSD-2014-3518",
      "modified": "2023-12-13T01:22:52.934103Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2014-3518",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2014-0887.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,6.0.0.20100216-M2]",
          "affected_versions": "All versions up to 6.0.0.20100216-M2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2014-07-23",
          "description": "`jmx-remoting.sar` in JBoss Remoting does not properly implement the JSR specification, which allows remote attackers to execute arbitrary code via unspecified vectors.",
          "fixed_versions": [],
          "identifier": "CVE-2014-3518",
          "identifiers": [
            "CVE-2014-3518"
          ],
          "package_slug": "maven/org.jboss.jbossas/jboss-as-jmx-remoting",
          "pubdate": "2014-07-22",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Code Injection",
          "urls": [
            "https://bugzilla.redhat.com/CVE-2014-3518"
          ],
          "uuid": "14d45fea-b462-4952-8700-c3f24e000e8a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2014-3518"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2014:0887",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2014-07-23T13:14Z",
      "publishedDate": "2014-07-22T20:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-3518 (GCVE-0-2014-3518)

FKIE_CVE-2014-3518

GHSA-X7HH-CW6H-X3Q4

RHSA-2014_0887

RHSA-2014:0887

GSD-2014-3518

Tags

Sightings

Nomenclature