Bug 795645 (CVE-2012-0874)
Summary: | CVE-2012-0874 JBoss invoker servlets do not require authentication | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | brms-jira, darran.lofthouse, dpalmer, jawilson, jcoleman, mjc, ncross, nwallace, rdickens, rzhang, security-response-team, tkirby, zzoubkov |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-03 00:30:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 796121, 796122, 796123 | ||
Bug Blocks: | 789173, 796518, 835396, 849517, 883225 |
Description
David Jorm
2012-02-21 06:40:12 UTC
Acknowledgements: This issue was discovered by David Jorm of the Red Hat Security Response Team. This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html This issue has been addressed in following products: JBEAP 5 for RHEL 5 Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html This issue has been addressed in following products: JBEAP 5 for RHEL 6 Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html This issue has been addressed in following products: JBEWP 5 for RHEL 6 Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html This issue has been addressed in following products: JBEAP 5 for RHEL 4 Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html This issue has been addressed in following products: JBEWP 5 for RHEL 4 Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html This issue has been addressed in following products: JBEWP 5 for RHEL 5 Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.1 Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.1 Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html The interceptor that blocks exploitation of this flaw by default is declared in jboss-as/server/$PROFILE/deploy/jmx-invoker-service.xml: <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/> |