Bug 973570 (CVE-2013-2165)

Summary: CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bleathem, ccrouch, djorm, grocha, jlieskov, jlivings, jrusnack, lfryc, lgao, mnovotny, rcvalle, security-response-team, spinder, theute, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20130710,reported=20130610,source=researcher,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,jboss/eap-5=affected,jboss/eap-4.3=affected,jboss/eap-4.2=notaffected,jboss/ewp-5=affected,brms-5/RichFaces=affected,soap-4.3/RichFaces=affected,soap-5/RichFaces=affected,epp-4/RichFaces=affected,epp-5/RichFaces=affected,jon-2/RichFaces=affected,jon-3.1/RichFaces=affected,wfk-2/RichFaces=affected,jboss/others=notaffected,cwe=CWE-502
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-11 01:03:23 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 973872, 973873, 973874, 973875, 973876, 973878, 978369, 978474, 978907, 979405    
Bug Blocks: 973001, 1025132    

Description Arun Babu Neelicattu 2013-06-12 04:48:56 EDT
A flaw was found in the way JBoss RichFaces handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.
Comment 4 David Jorm 2013-06-13 05:23:22 EDT
Acknowledgements:

Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue.
Comment 9 errata-xmlrpc 2013-07-10 19:45:51 EDT
This issue has been addressed in following products:

  Red Hat JBoss Web Framework Kit 2.3.0

Via RHSA-2013:1041 https://rhn.redhat.com/errata/RHSA-2013-1041.html
Comment 10 errata-xmlrpc 2013-07-10 19:57:02 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 4

Via RHSA-2013:1043 https://rhn.redhat.com/errata/RHSA-2013-1043.html
Comment 11 errata-xmlrpc 2013-07-10 19:57:11 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4

Via RHSA-2013:1042 https://rhn.redhat.com/errata/RHSA-2013-1042.html
Comment 12 errata-xmlrpc 2013-07-10 20:18:27 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 4.3.0 CP10
  Red Hat JBoss Enterprise Application Platform 5.2.0
  Red Hat JBoss Web Platform 5.2.0
  Red Hat JBoss BRMS 5.3.1
  Red Hat JBoss SOA Platform 4.3.0 CP05
  Red Hat JBoss SOA Platform 5.3.1
  Red Hat JBoss Portal 4.3 CP07
  Red Hat JBoss Portal 5.2.2
  Red Hat JBoss Operations Network 2.4.2
  Red Hat JBoss Operations Network 3.1.2

Via RHSA-2013:1045 https://rhn.redhat.com/errata/RHSA-2013-1045.html
Comment 13 errata-xmlrpc 2013-07-10 20:20:16 EDT
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:1044 https://rhn.redhat.com/errata/RHSA-2013-1044.html