rhsa-2014_0887
Vulnerability from csaf_redhat
Published
2014-07-16 04:38
Modified
2024-11-22 08:10
Summary
Red Hat Security Advisory: JBoss Remoting security update
Notes
Topic
This advisory contains instructions on how to resolve one security issue
found in the JBoss Remoting component, which is included in Red Hat JBoss
Enterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat
JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1.
The Red Hat Security Response Team has rated this security issue as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
JBoss Remoting is a stand-alone project that provides an API for making
remote invocations using pluggable transports and data marshallers.
JBoss Application Server 5 and supported Red Hat JBoss 5.x products contain
JBoss Remoting, which includes a partial implementation of the JMX remoting
specification JSR 160. This implementation is provided in jmx-remoting.sar,
which is deployed by default in unsupported community releases of JBoss
Application Server 5.x. This implementation does not implement security as
defined in JSR 160, and therefore does not apply any authentication or
authorization constraints. A remote attacker could use this flaw to
potentially execute arbitrary code on a vulnerable server. All of the
supported Red Hat JBoss 5.x products are not affected by this issue in
their default configuration. These products are only vulnerable if JMX
remoting is enabled by manually deploying jmx-remoting.sar from the
jboss-as/docs/examples directory. Unsupported community releases of JBoss
Application Server 5.x are affected. All users of the standalone JBoss
Remoting project are also affected. (CVE-2014-3518)
Red Hat would like to thank Harun ESUR of Sceptive for reporting this
issue.
All users of Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat
JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss
SOA Platform 5.3.1 as provided from the Red Hat Customer Portal who have
jmx-remoting.sar deployed are advised to follow the instructions provided
in the Solution section of this advisory.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "This advisory contains instructions on how to resolve one security issue\nfound in the JBoss Remoting component, which is included in Red Hat JBoss\nEnterprise Application Platform 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat\nJBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1.\n\nThe Red Hat Security Response Team has rated this security issue as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Remoting is a stand-alone project that provides an API for making\nremote invocations using pluggable transports and data marshallers.\n\nJBoss Application Server 5 and supported Red Hat JBoss 5.x products contain\nJBoss Remoting, which includes a partial implementation of the JMX remoting\nspecification JSR 160. This implementation is provided in jmx-remoting.sar,\nwhich is deployed by default in unsupported community releases of JBoss\nApplication Server 5.x. This implementation does not implement security as\ndefined in JSR 160, and therefore does not apply any authentication or\nauthorization constraints. A remote attacker could use this flaw to\npotentially execute arbitrary code on a vulnerable server. All of the\nsupported Red Hat JBoss 5.x products are not affected by this issue in\ntheir default configuration. These products are only vulnerable if JMX\nremoting is enabled by manually deploying jmx-remoting.sar from the\njboss-as/docs/examples directory. Unsupported community releases of JBoss\nApplication Server 5.x are affected. All users of the standalone JBoss\nRemoting project are also affected. (CVE-2014-3518)\n\nRed Hat would like to thank Harun ESUR of Sceptive for reporting this\nissue.\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2.0, Red Hat\nJBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss\nSOA Platform 5.3.1 as provided from the Red Hat Customer Portal who have\njmx-remoting.sar deployed are advised to follow the instructions provided\nin the Solution section of this advisory.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0887",
"url": "https://access.redhat.com/errata/RHSA-2014:0887"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/238943",
"url": "https://access.redhat.com/solutions/238943"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/1120423",
"url": "https://access.redhat.com/solutions/1120423"
},
{
"category": "external",
"summary": "1112545",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112545"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0887.json"
}
],
"title": "Red Hat Security Advisory: JBoss Remoting security update",
"tracking": {
"current_release_date": "2024-11-22T08:10:53+00:00",
"generator": {
"date": "2024-11-22T08:10:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0887",
"initial_release_date": "2014-07-16T04:38:08+00:00",
"revision_history": [
{
"date": "2014-07-16T04:38:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-15T16:41:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:10:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2"
}
}
},
{
"category": "product_name",
"name": "JBoss Enterprise BRMS Platform 5.3",
"product": {
"name": "JBoss Enterprise BRMS Platform 5.3",
"product_id": "JBoss Enterprise BRMS Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Harun ESUR"
],
"organization": "Sceptive"
}
],
"cve": "CVE-2014-3518",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2014-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1112545"
}
],
"notes": [
{
"category": "description",
"text": "JBoss Application Server 5 and supported Red Hat JBoss 5.x products contain JBoss Remoting, which includes a partial implementation of the JMX remoting specification JSR 160. This implementation is provided in jmx-remoting.sar, which is deployed by default in unsupported community releases of JBoss Application Server 5.x. This implementation does not implement security as defined in JSR 160, and therefore does not apply any authentication or authorization constraints. A remote attacker could use this flaw to potentially execute arbitrary code on a vulnerable server. All of the supported Red Hat JBoss 5.x products are not affected by this issue in their default configuration. These products are only vulnerable if JMX remoting is enabled by manually deploying jmx-remoting.sar from the jboss-as/docs/examples directory. Unsupported community releases of JBoss Application Server 5.x are affected. All users of the standalone JBoss Remoting project are also affected.\r\n\r\nFor more information, see https://access.redhat.com/solutions/1120423",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "5: Remote code execution via unauthenticated JMX/RMI connector",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-3518"
},
{
"category": "external",
"summary": "RHBZ#1112545",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112545"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-3518",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3518"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/1120423",
"url": "https://access.redhat.com/solutions/1120423"
}
],
"release_date": "2014-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-07-16T04:38:08+00:00",
"details": "In case your server is affected, undeploy jmx-remoting.sar if JMX remoting\nis not required by your applications. If your applications do require it,\nsecure JMX remoting by following the instructions at\nhttps://access.redhat.com/solutions/238943\n\nFor more information, see https://access.redhat.com/solutions/1120423",
"product_ids": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0887"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "5: Remote code execution via unauthenticated JMX/RMI connector"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.