| Vulnerability Name: | CVE-2012-0874 (CCN-81511) | ||||||||
| Assigned: | 2012-01-19 | ||||||||
| Published: | 2013-01-24 | ||||||||
| Updated: | 2017-08-29 | ||||||||
| Summary: | The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. Note: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer. Per http://rhn.redhat.com/errata/RHSA-2013-0192.html "This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements." Per http://rhn.redhat.com/errata/RHSA-2013-0196.html "This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements." | ||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P) 5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-287 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: BUGTRAQ Type: UNKNOWN 20131219 ESA-2013-094: EMC Data Protection Advisor JBOSS Remote Code Execution Vulnerability Source: CCN Type: ESA-2013-094 EMC Data Protection Advisor JBOSS Remote Code Execution Vulnerability Source: MITRE Type: CNA CVE-2012-0874 Source: CCN Type: RHSA-2013-0191 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0191 Source: CCN Type: RHSA-2013-0192 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0192 Source: CCN Type: RHSA-2013-0193 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0193 Source: CCN Type: RHSA-2013-0194 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0194 Source: CCN Type: RHSA-2013-0195 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0195 Source: CCN Type: RHSA-2013-0196 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0196 Source: CCN Type: RHSA-2013-0197 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0197 Source: CCN Type: RHSA-2013-0198 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0198 Source: REDHAT Type: Vendor Advisory RHSA-2013:0221 Source: REDHAT Type: UNKNOWN RHSA-2013:0533 Source: SECUNIA Type: Vendor Advisory 51984 Source: SECUNIA Type: Vendor Advisory 52054 Source: CCN Type: SA56040 EMC Data Protection EJBInvokerServlet Marshalled Object Vulnerability Source: SECTRACK Type: UNKNOWN 1028042 Source: EXPLOIT-DB Type: UNKNOWN 30211 Source: CCN Type: JBoss Web site JBoss Enterprise Application Platform Source: BID Type: UNKNOWN 57552 Source: CCN Type: BID-57552 JBoss Enterprise Application Platform CVE-2012-0874 Multiple Security Bypass Vulnerabilities Source: MISC Type: UNKNOWN https://bugzilla.redhat.com/show_bug.cgi?id=795645 Source: XF Type: UNKNOWN jboss-eap-jmxinvokerhaservlet-code-exec(81511) Source: XF Type: UNKNOWN jboss-eap-jmxinvokerhaservlet-code-exec(81511) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||