Bug 984034 (CVE-2013-1768)

Summary: CVE-2013-1768 openjpa: Remote arbitrary code execution by creating a serialized object and leveraging improperly secured server programs
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aneelica, bressers, chazlett, djorm, jason.greene, java-sig-commits, lgao, pcheung, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130612,reported=20130711,source=cve,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,fedora-all/openjpa=affected,fedora-rawhide/openjpa=affected,jboss/fuse-6.0=affected,jboss/fuse-esb-7.1=affected,jboss/fuse-others=notaffected,cwe=CWE-502
Fixed In Version: Apache OpenJPA 1.2.3, Apache OpenJPA 2.2.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-19 19:12:16 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 984040    
Bug Blocks: 981152, 984048, 996321    

Description Jan Lieskovsky 2013-07-12 11:16:17 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1768 to the following vulnerability:

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

References:
[1]  http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0099.html
[2]  http://www-01.ibm.com/support/docview.wss?uid=swg21635999
[3]  http://svn.apache.org/viewvc?view=revision&revision=1462076
[4]  http://svn.apache.org/viewvc?view=revision&revision=1462225
[5]  http://svn.apache.org/viewvc?view=revision&revision=1462268
[6]  http://svn.apache.org/viewvc?view=revision&revision=1462318
[7]  http://svn.apache.org/viewvc?view=revision&revision=1462328
[8]  http://svn.apache.org/viewvc?view=revision&revision=1462488
[9]  http://svn.apache.org/viewvc?view=revision&revision=1462512
[10] http://svn.apache.org/viewvc?view=revision&revision=1462558
[11] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86780
[12] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86786
[13] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86788
[14] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86791
[15] http://xforce.iss.net/xforce/xfdb/82268
Comment 1 Jan Lieskovsky 2013-07-12 11:23:43 EDT
This issue affects the versions of the openjpa package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-07-12 11:24:18 EDT
Created openjpa tracking bugs for this issue:

Affects: fedora-all [bug 984040]
Comment 3 gil cattaneo 2013-07-15 04:16:47 EDT
should fixed in 
openjpa-2.2.0-3.fc17
openjpa-2.2.0-3.fc18
openjpa-2.2.1-6.fc19
regards
Comment 5 Fedora Update System 2013-07-21 20:26:16 EDT
openjpa-2.2.0-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-07-21 20:27:27 EDT
openjpa-2.2.1-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-07-21 20:31:27 EDT
openjpa-2.2.0-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2013-08-29 19:30:25 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.0.0

Via RHSA-2013:1185 https://rhn.redhat.com/errata/RHSA-2013-1185.html
Comment 9 gil cattaneo 2013-09-17 06:02:00 EDT
you might as well close,
openjpa-2.2.0-3.fc17
openjpa-2.2.0-3.fc18
openjpa-2.2.1-6.fc19
fix the problem
Comment 10 errata-xmlrpc 2013-12-19 17:50:38 EST
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2013:1862 https://rhn.redhat.com/errata/RHSA-2013-1862.html