Bug 615956 (CVE-2010-1871)

Summary:	CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
Product:	[Other] Security Response	Reporter:	Jan Lieskovsky <jlieskov>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	ahmad.adly.sayed, atangrin, bressers, djorm, dpospisi, fnasser, max.andersen, mbenitez, meder.k, mjc, mnovotny, mschoene, myarboro, oskutka, pcheung, pjha, pmuir, rnewton, rruss, security-response-team, theute, wnefal+redhatbugzilla
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-10-21 04:52:04 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-07-19 11:31:33 UTC

An improper input sanitization flaw was found in the way JBoss Seam
web application framework processed certain parametrized JBoss
Expression Language expressions. A remote attacker could use this flaw
to execute arbitrary code via a URL, containing appended, specially-crafted
expression language parameters, provided to certain applications based on
the JBoss Seam framework. Note: A properly configured and enabled Java
Security Manager would prevent exploitation of this flaw.

References:
  [1] http://seamframework.org/
  [2] http://docs.jboss.org/seam/2.2.0.GA/en-US/html/elenhancements.html

Acknowledgements:

Red Hat would like to thank Meder Kydyraliev of Google Security Team
for responsibly reporting this issue.

Comment 7 errata-xmlrpc 2010-07-27 12:51:55 UTC

This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0564 https://rhn.redhat.com/errata/RHSA-2010-0564.html

Comment 8 errata-xmlrpc 2010-07-28 13:20:33 UTC

This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0564 https://rhn.redhat.com/errata/RHSA-2010-0564.html

Comment 9 Rebecca Newton 2010-09-01 07:26:44 UTC

Documented in the EAP 5.1 Release Notes Fixed Issues as:

Meder Kydyraliev from the Google Security Team identified an issue with the way JBoss parsed JBoss Expression Language expressions, if the Java Security Manager was incorrectly configured. This opened a passage for an attacker to execute arbitrary code. This issue has been resolved by fixing the way JBEL is sanitized prior to the server processing it.

Comment 10 Pete Muir 2010-09-01 09:55:27 UTC

That release note doesn't make much sense, due to mixup of brands and technologies, would recommend:

Meder Kydyraliev from the Google Security Team identified an issue with the way
>>>JBoss Seam<<< handled various >>>Unified Expression Language<<< expressions, if the Java Security
Manager was incorrectly configured. This opened a passage for an attacker to
execute arbitrary code. This issue has been resolved by fixing the way >>>the EL expression<<< is
sanitized prior to the server processing it.

Comment 11 Meder Kydyraliev 2010-09-01 12:53:51 UTC

It'd be great if you guys also announced this bug on the Seam community website instead of only silently releasing 2.2.1.CR2.

Comment 12 Pete Muir 2010-09-01 13:03:58 UTC

It was, I guess you just missed it. FYI http://seamframework.org/Community/Seam221CR2IsAvailableForPublic

Comment 13 Meder Kydyraliev 2010-09-01 13:12:43 UTC

Oh, didn't see that, I was expecting something on: http://seamframework.org/Seam2/Downloads but I guess that works too.

Thanks,
Meder

Comment 14 Rebecca Newton 2010-09-01 23:30:39 UTC

Email correspondence from Murray McAllister:

Documented in the EAP 5.1 Release Notes Fixed Issues as:
>
> Meder Kydyraliev from the Google Security Team identified an issue with the way
> JBoss parsed JBoss Expression Language expressions, if the Java Security
> Manager was incorrectly configured. This opened a passage for an attacker to
> execute arbitrary code. This issue has been resolved by fixing the way JBEL is
> sanitized prior to the server processing it.
>
Is it possible to use the original advisory text instead?

---

An input sanitization flaw was found in the way JBoss Seam processed
certain parametrized JBoss Expression Language (EL) expressions. A remote
attacker could use this flaw to execute arbitrary code via a URL,
containing appended, specially-crafted expression language parameters,
provided to certain applications based on the JBoss Seam framework. Note: A
properly configured and enabled Java Security Manager would prevent
exploitation of this flaw. (CVE-2010-1871)

Red Hat would like to thank Meder Kydyraliev of the Google Security Team
for responsibly reporting this issue.

---

With "CVE-2010-1871" a link to
https://www.redhat.com/security/data/cve/CVE-2010-1871.html ?

Cheers.

---

So I will change the Release Notes to use the original text as suggested by Murray. Thanks for the feedback, let me know if there's anything else I can add.

Rebecca

Comment 15 Josh Bressers 2011-02-03 18:51:57 UTC

Please note:

Seam2 as shipped in JBEAP 4.3. This flaw did not affect the version of Seam shipped in JBEAP 4.2

Comment 19 Ahmad Adly 2021-09-30 02:46:29 UTC

Hi there, I know this long time to raise the question.
I want to ask what are the proper Security Manager configurations that will resolve CVE-2010-1871?