Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1031829 - (CVE-2013-4810) CVE-2013-4810 HP ProCurve Manager (PCM): invoker servlets do not require authentication
CVE-2013-4810 HP ProCurve Manager (PCM): invoker servlets do not require auth...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20130911,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-18 16:49 EST by David Jorm
Modified: 2014-10-20 20:05 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-18 16:53:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description David Jorm 2013-11-18 16:49:46 EST 
The HP ProCurve Manager (PCM) was found to expose unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces. A remote attacker could exploit this flaw to invoke MBean methods and run arbitrary code in the context of the user running the PCM server.
Comment 1 David Jorm 2013-11-18 16:53:38 EST 
Statement:

CVE-2013-4810 refers to the exposure of unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces on HP ProCurve Manager (PCM). These servlets are also, however, exposed without authentication on older, unsupported community releases of JBoss AS (WildFly) 4.x and 5.x.

All supported Red Hat JBoss products that include the JMXInvokerServlet and EJBInvokerServlet interfaces apply authentication by default and are not affected by this issue. 

Community releases of JBoss AS (WildFly) 7.x are also not affected by this issue.

Users of older, unsupported community releases of JBoss AS (WildFly) are advised to follow the instructions available here to apply authentication to the invoker servlet interfaces:

https://community.jboss.org/wiki/SecureJboss/

Note: Red Hat has been aware of this issue since 2012, as identified in CVE-2012-0874, and addressed the issue for supported Red Hat JBoss products based on JBoss AS 4.x and 5.x.
Comment 4 David Jorm 2013-11-18 19:48:51 EST 
External References:

https://access.redhat.com/site/articles/545183
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.