Red Hat Bugzilla – Bug 1072716
CVE-2014-0121 hawtio-karaf-terminal: remote code execution due to missing authentication
Last modified: 2015-07-27 09:27:17 EDT
hawtio-karaf-terminal does not apply any authentication or authorization constraints by default. A remote attacker could use this flaw to run commands in the Karaf terminal, and therefore execute arbitrary code in the context of the Karaf server process.
This issue was discovered by David Jorm of the Red Hat Security Response Team.
Upstream patch commits:
Not vulnerable. This issue only affects Red Hat JBoss Fuse 6.1.0 Beta. It is resolved in the general availability release of Red Hat JBoss Fuse 6.1.0. Earlier versions of Red Hat JBoss Fuse are not affected, as they did not include the hawtio-karaf-terminal component.