Bug 760387 (CVE-2011-4575)

Summary: CVE-2011-4575 JMX Console: XSS in invoke operation
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aneelica, brms-jira, cdewolf, darran.lofthouse, mjc, nsurtani, security-response-team, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the parameters passed to operation invocations on the JMX console were not properly sanitized. Remote attackers could use this flaw to inject arbitrary web script or HTML into the JMX console.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-03 00:02:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 769148, 794419, 794420    
Bug Blocks: 760388, 789173, 835396, 849517, 883225    

Description David Jorm 2011-12-06 02:10:44 UTC 
The parameters passed to operation invocations on the JMX console are not properly sanitized. Remote attackers can use this flaw to inject arbitrary web script or HTML into the JMX console.
Comment 5 David Jorm 2013-01-22 03:28:12 UTC 
Acknowledgment:

Red Hat would like to thank Tyler Krpata for reporting this issue.
Comment 6 errata-xmlrpc 2013-01-24 18:09:26 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 7 errata-xmlrpc 2013-01-24 18:32:19 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 8 errata-xmlrpc 2013-01-24 18:33:05 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 9 errata-xmlrpc 2013-01-24 18:45:22 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 10 errata-xmlrpc 2013-01-24 18:46:07 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 11 errata-xmlrpc 2013-01-24 18:58:22 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 12 errata-xmlrpc 2013-01-24 18:59:16 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 13 errata-xmlrpc 2013-01-24 19:08:22 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
Comment 14 errata-xmlrpc 2013-01-31 20:31:18 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html
Comment 15 errata-xmlrpc 2013-02-20 21:44:00 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html