Bug 1051279 (CVE-2013-6469)

Summary: CVE-2013-6469 RTgov: Remote Java Code Execution in MVEL
Product: [Other] Security Response Reporter: Pavel Polischouk <pavelp>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-09 13:17:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1005275    
Bug Blocks: 1061967    

Description Pavel Polischouk 2014-01-10 00:40:58 UTC
A code execution vulnerability has been discovered in JBoss SOA RTgov. The flaw allows remote authenticated attackers to submit arbitrary Java code in MVEL expressions submitted through RTgov, the code would be executed within the security context of the application server.

Comment 2 Pavel Polischouk 2014-04-09 13:17:02 UTC
Statement:

This issue does not affect RTgov as shipped with Red Hat JBoss Fuse Service Works 6. It may affect earlier versions of the upstream JBoss Overlord RTGov project.

In Red Hat JBoss Fuse Service Works 6, this flaw is mitigated by configuration options that either remove the vulnerable interface, or constrain it using a Java Security Manager policy. These options are documented in the Installation and Security Guides for the product.