PRIOn knowledge basePRION:CVE-2012-0874Design/Logic Flaw
The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a “second layer of authentication,” or when used in conjunction with other vulnerabilities that bypass this second layer.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jboss_enterprise_application_platform | eq | 5.2.0 | |
| jboss_enterprise_brms_platform | le | 5.3.0 | |
| jboss_enterprise_web_platform | eq | 5.2.0 |
References
archives.neohapsis.com/archives/bugtraq/2013-12/0134.html
rhn.redhat.com/errata/RHSA-2013-0191.html
rhn.redhat.com/errata/RHSA-2013-0192.html
rhn.redhat.com/errata/RHSA-2013-0193.html
rhn.redhat.com/errata/RHSA-2013-0194.html
rhn.redhat.com/errata/RHSA-2013-0195.html
rhn.redhat.com/errata/RHSA-2013-0196.html
rhn.redhat.com/errata/RHSA-2013-0197.html
rhn.redhat.com/errata/RHSA-2013-0198.html
rhn.redhat.com/errata/RHSA-2013-0221.html
rhn.redhat.com/errata/RHSA-2013-0533.html
secunia.com/advisories/51984
secunia.com/advisories/52054
securitytracker.com/id?1028042
www.securityfocus.com/bid/57552
bugzilla.redhat.com/show_bug.cgi?id=795645
exchange.xforce.ibmcloud.com/vulnerabilities/81511
www.exploit-db.com/exploits/30211
Related
