Vulnerability Name:

CVE-2010-3708 (CCN-63667)

Assigned:2010-12-01
Published:2010-12-01
Updated:2010-12-30
Summary:The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2010-3708

Source: CCN
Type: RHSA-2010-0937
Important: JBoss Enterprise Application Platform 4.3.0.CP09 update

Source: CCN
Type: RHSA-2010-0938
Important: JBoss Enterprise Application Platform 4.3.0.CP09 update

Source: CCN
Type: SA42398
Red Hat JBoss Enterprise Application Platform Three Vulnerabilities

Source: CCN
Type: SECTRACK ID: 1024813
JBoss Enterprise Application Platform Bugs Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Request Forgery Attacks

Source: SECTRACK
Type: UNKNOWN
1024813

Source: CCN
Type: JBoss Web site
JBoss Enterprise Application Platform

Source: CCN
Type: OSVDB ID: 70266
JBoss Enterprise Multiple Products JBoss Drools Deserialization Static Initializer Remote Code Execution

Source: REDHAT
Type: Vendor Advisory
RHSA-2010:0937

Source: REDHAT
Type: Vendor Advisory
RHSA-2010:0938

Source: REDHAT
Type: Vendor Advisory
RHSA-2010:0939

Source: REDHAT
Type: Vendor Advisory
RHSA-2010:0940

Source: CCN
Type: BID-45148
JBoss Enterprise Application Platform Multiple Remote Vulnerabilities

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=633859

Source: XF
Type: UNKNOWN
jboss-drools-code-execution(63667)

Source: MISC
Type: UNKNOWN
https://issues.jboss.org/browse/SOA-2319

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp05:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp06:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp07:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp08:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:redhat:jboss_enterprise_soa_platform:4.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:4.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.precise:def:20103708000
    V
    		CVE-2010-3708 on Ubuntu 12.04 LTS (precise) - medium.
    2010-12-30
    oval:com.ubuntu.trusty:def:20103708000
    V
    		CVE-2010-3708 on Ubuntu 14.04 LTS (trusty) - medium.
    2010-12-30
    BACK
    redhat jboss enterprise application platform 4.3.0
    redhat jboss enterprise application platform 4.3.0 cp01
    redhat jboss enterprise application platform 4.3.0 cp02
    redhat jboss enterprise application platform 4.3.0 cp03
    redhat jboss enterprise application platform 4.3.0 cp04
    redhat jboss enterprise application platform 4.3.0 cp05
    redhat jboss enterprise application platform 4.3.0 cp06
    redhat jboss enterprise application platform 4.3.0 cp07
    redhat jboss enterprise application platform 4.3.0 cp08
    redhat jboss enterprise soa platform 4.2.0
    redhat jboss enterprise soa platform 4.2.0 cp01
    redhat jboss enterprise soa platform 4.2.0 cp02
    redhat jboss enterprise soa platform 4.2.0 cp03
    redhat jboss enterprise soa platform 4.2.0 cp04
    redhat jboss enterprise soa platform 4.2.0 cp05
    redhat jboss enterprise soa platform 4.2.0 tp02
    redhat jboss enterprise soa platform 4.3.0
    redhat jboss enterprise soa platform 4.3.0 cp01
    redhat jboss enterprise soa platform 4.3.0 cp02
    redhat jboss enterprise soa platform 4.3.0 cp03
    redhat jboss enterprise soa platform 4.3.0 cp04
    redhat jboss enterprise application platform 4.3