Bug 1051261 (CVE-2013-6468)

Summary: CVE-2013-6468 Drools: Remote Java Code Execution in MVEL
Product: [Other] Security Response Reporter: Pavel Polischouk <pavelp>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: osoukup, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-09 12:42:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 991058    
Bug Blocks: 1061967, 1072116    

Description Pavel Polischouk 2014-01-09 23:03:33 UTC 
A code execution vulnerability has been discovered in Drools. The flaw allows remote authenticated attackers to submit arbitrary Java code in MVEL or Drools expressions, the code would be executed within the security context of the application server.
Comment 3 errata-xmlrpc 2014-04-03 21:23:17 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BPM Suite 6.0.1

Via RHSA-2014:0371 https://rhn.redhat.com/errata/RHSA-2014-0371.html
Comment 4 errata-xmlrpc 2014-04-03 21:31:11 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.1

Via RHSA-2014:0372 https://rhn.redhat.com/errata/RHSA-2014-0372.html