Bug 1120495 (CVE-2014-3558)
| Summary: | CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anmiller, bdawidow, bkearney, bmcclain, brms-jira, cbillett, cdewolf, chazlett, cpelland, cperry, dandread, darran.lofthouse, dblechte, epp-bugs, fnasser, grocha, huwang, idith, jason.greene, jawilson, jbpapp-maint, jclere, jcoleman, jdg-bugs, jdoyle, jgoulding, jpallich, jrusnack, juan.hernandez, katello-bugs, kconner, kejohnso, lgao, mgoldman, mjc, mmccune, mweiler, myarboro, pgier, pslavice, Rhev-m-bugs, rhq-maint, rsvoboda, soa-p-jira, spinder, theute, tkirby, tomckay, ttarrant, vtunka, weli, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was discovered that the implementation of org.hibernate.validator.util.ReflectionHelper together with the permissions required to run Hibernate Validator under the Java Security Manager could allow a malicious application deployed in the same application container to execute several actions with escalated privileges, which might otherwise not be possible. This flaw could be used to perform various attacks, including but not restricted to, arbitrary code execution in systems that are otherwise secured by the Java Security Manager.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:33:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1120518, 1120532, 1120513, 1120514, 1120515, 1120516, 1120517, 1120519, 1120520, 1120521, 1120523, 1120524, 1120525, 1120526, 1120527, 1120529, 1120530, 1120531, 1160692 | ||
| Bug Blocks: | 1082938, 1120498, 1138220, 1181883, 1182419, 1187398, 1196328 | ||
|
Description
Arun Babu Neelicattu
2014-07-17 05:08:35 UTC
Upstream Issue: https://hibernate.atlassian.net/browse/HV-912 This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.1 Via RHSA-2014:1288 https://rhn.redhat.com/errata/RHSA-2014-1288.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 7 Via RHSA-2014:1287 https://rhn.redhat.com/errata/RHSA-2014-1287.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 5 Via RHSA-2014:1286 https://rhn.redhat.com/errata/RHSA-2014-1286.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 Via RHSA-2014:1285 https://rhn.redhat.com/errata/RHSA-2014-1285.html This issue has been addressed in the following products: JBoss Web Framework Kit 2.7.0 Via RHSA-2015:0125 https://rhn.redhat.com/errata/RHSA-2015-0125.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html |