Bug 1027052 (CVE-2013-4521)
| Summary: | CVE-2013-4521 Nuxeo RichFaces: Remote code execution due to insecure deserialization | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | mjc, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A flaw was found in Nuxeo RichFaces where it improperly deserialized data. An attacker could use this flaw to obtain execution on deserialization methods on serializable classes deployed on the server. This can possibly lead to unauthenticated remote code execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-14 00:42:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Jorm
2013-11-06 02:04:31 UTC
Statement: Not vulnerable. This flaw does not affect RichFaces as shipped with various JBoss products. These products use JBoss RichFaces, which is covered by CVE-2013-2165. This flaw pertains specifically to Nuxeo RichFaces. Upstream patch commit: https://github.com/nuxeo/richfaces/commit/6cbad2a6dcb70d3e33a6ce5879b1a3ad79eb1aec Acknowledgements: This issue was discovered by Arun Neelicattu and David Jorm of the Red Hat Security Response Team. |