rhsa-2012_0396
Vulnerability from csaf_redhat
Published
2012-03-19 21:43
Modified
2024-09-15 19:46
Summary
Red Hat Security Advisory: JBoss Operations Network 2.4.2 security update
Notes
Topic
An update for JBoss Operations Network 2.4.2 that fixes one security issue
is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
JBoss Operations Network (JBoss ON) is a middleware management solution
that provides a single point of control to deploy, manage, and monitor
JBoss Enterprise Middleware, applications, and services.
A flaw was found in the way LDAP (Lightweight Directory Access Protocol)
authentication was handled. If the LDAP bind account credentials became
invalid, subsequent log in attempts with any password for user accounts
created via LDAP were successful. A remote attacker could use this flaw
to log into LDAP-based JBoss ON accounts without knowing the correct
passwords. (CVE-2012-1100)
Warning: Before applying the update, back up your existing JBoss ON
installation (including its databases, applications, configuration files,
the JBoss ON server's file system directory, and so on).
All users of JBoss Operations Network 2.4.2 as provided from the Red Hat
Customer Portal are advised to install this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for JBoss Operations Network 2.4.2 that fixes one security issue\nis now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Operations Network (JBoss ON) is a middleware management solution\nthat provides a single point of control to deploy, manage, and monitor\nJBoss Enterprise Middleware, applications, and services.\n\nA flaw was found in the way LDAP (Lightweight Directory Access Protocol)\nauthentication was handled. If the LDAP bind account credentials became\ninvalid, subsequent log in attempts with any password for user accounts\ncreated via LDAP were successful. A remote attacker could use this flaw\nto log into LDAP-based JBoss ON accounts without knowing the correct\npasswords. (CVE-2012-1100)\n\nWarning: Before applying the update, back up your existing JBoss ON\ninstallation (including its databases, applications, configuration files,\nthe JBoss ON server\u0027s file system directory, and so on).\n\nAll users of JBoss Operations Network 2.4.2 as provided from the Red Hat\nCustomer Portal are advised to install this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:0396",
"url": "https://access.redhat.com/errata/RHSA-2012:0396"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=2.4.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=2.4.2"
},
{
"category": "external",
"summary": "799789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799789"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2012/rhsa-2012_0396.json"
}
],
"title": "Red Hat Security Advisory: JBoss Operations Network 2.4.2 security update",
"tracking": {
"current_release_date": "2024-09-15T19:46:55+00:00",
"generator": {
"date": "2024-09-15T19:46:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2012:0396",
"initial_release_date": "2012-03-19T21:43:00+00:00",
"revision_history": [
{
"date": "2012-03-19T21:43:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-03-19T21:46:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-15T19:46:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 2.4",
"product": {
"name": "Red Hat JBoss Operations Network 2.4",
"product_id": "Red Hat JBoss Operations Network 2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:2.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-1100",
"discovery_date": "2012-03-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "799789"
}
],
"notes": [
{
"category": "description",
"text": "Red Hat JBoss Operations Network (JON) 3.0.x before 3.0.1, 2.4.2, and earlier, when LDAP authentication is enabled and the LDAP bind account credentials are invalid, allows remote attackers to login to LDAP-based accounts via an arbitrary password in a login request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JON: LDAP authentication allows any user access if bind credentials are bad",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Operations Network 2.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-1100"
},
{
"category": "external",
"summary": "RHBZ#799789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=799789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-1100",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-1100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-1100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1100"
}
],
"release_date": "2012-02-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss ON installation (including its databases, applications,\nconfiguration files, the JBoss ON server\u0027s file system directory, and so\non).\n\nStop the JBoss ON server (rhq-server.sh stop) before applying the update.\nAfter applying the update, start the JBoss ON server (rhq-server.sh start).",
"product_ids": [
"Red Hat JBoss Operations Network 2.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:0396"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Operations Network 2.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JON: LDAP authentication allows any user access if bind credentials are bad"
}
]
}
Loading...