Bug 1101619 (CVE-2014-0248) - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter
Summary: CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0248
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1101741 1101742 1101743 1101744 1101745 1101746 1101747 1101748 1101749 1101750 1101752 1101753 1101754 1101755 1101785 1101786 1101787 1101788 1101789 1101790 1101791 1101792 1102383 1102384
Blocks: 1101620 1103918 1103922 1108737 1109835 1112044 1244362 1244363
TreeView+ depends on / blocked
 
Reported: 2014-05-27 15:40 UTC by Arun Babu Neelicattu
Modified: 2023-05-12 22:29 UTC (History)
56 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application.
Clone Of:
Environment:
Last Closed: 2016-03-10 21:30:06 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 712283 0 high CLOSED CVE-2011-2196 JBoss Seam EL interpolation in exception handling 2023-05-12 18:49:54 UTC
Red Hat Product Errata RHSA-2014:0785 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Framework Kit 2.5.0 security update 2014-06-23 22:02:30 UTC
Red Hat Product Errata RHSA-2014:0791 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-06-25 19:50:51 UTC
Red Hat Product Errata RHSA-2014:0792 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-06-25 20:01:14 UTC
Red Hat Product Errata RHSA-2014:0793 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-06-25 20:00:59 UTC
Red Hat Product Errata RHSA-2014:0794 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-06-25 19:50:45 UTC
Red Hat Product Errata RHSA-2015:1888 0 normal SHIPPED_LIVE Important: Red Hat JBoss SOA Platform 5.3.1 security update 2015-10-12 19:27:33 UTC

Internal Links: 712283

Description Arun Babu Neelicattu 2014-05-27 15:40:54 UTC 
It was found that org.jboss.seam.web.AuthenticationFilter class implementation used seam logging in an unsafe manner. A remote attacker could exploit this issue in order to gain arbitrary code execution by providing specifically crafted authentication headers.
Comment 7 Arun Babu Neelicattu 2014-06-23 13:57:09 UTC 
Acknowledgements:

This issue was discovered by Marek Schmidt of Red Hat.
Comment 8 errata-xmlrpc 2014-06-23 18:02:38 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Web Framework Kit 2.5.0

Via RHSA-2014:0785 https://rhn.redhat.com/errata/RHSA-2014-0785.html
Comment 9 errata-xmlrpc 2014-06-25 15:51:30 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0 

Via RHSA-2014:0794 https://rhn.redhat.com/errata/RHSA-2014-0794.html
Comment 10 errata-xmlrpc 2014-06-25 15:52:10 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:0791 https://rhn.redhat.com/errata/RHSA-2014-0791.html
Comment 11 errata-xmlrpc 2014-06-25 16:02:28 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 6

Via RHSA-2014:0793 https://rhn.redhat.com/errata/RHSA-2014-0793.html
Comment 12 errata-xmlrpc 2014-06-25 16:02:33 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 6

Via RHSA-2014:0792 https://rhn.redhat.com/errata/RHSA-2014-0792.html
Comment 16 errata-xmlrpc 2015-10-12 15:28:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html
Note You need to log in before you can comment on or make changes to this bug.