Bug 615956 (CVE-2010-1871) - CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
Summary: CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss...
Status: CLOSED ERRATA
Alias: CVE-2010-1871
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100727,reported=20100719,sou...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-19 11:31 UTC by Jan Lieskovsky
Modified: 2018-03-02 09:38 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-21 04:52:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0564 normal SHIPPED_LIVE Important: jboss-seam2 security update 2010-07-28 13:20:30 UTC

Description Jan Lieskovsky 2010-07-19 11:31:33 UTC
An improper input sanitization flaw was found in the way JBoss Seam
web application framework processed certain parametrized JBoss
Expression Language expressions. A remote attacker could use this flaw
to execute arbitrary code via a URL, containing appended, specially-crafted
expression language parameters, provided to certain applications based on
the JBoss Seam framework. Note: A properly configured and enabled Java
Security Manager would prevent exploitation of this flaw.

References:
  [1] http://seamframework.org/
  [2] http://docs.jboss.org/seam/2.2.0.GA/en-US/html/elenhancements.html

Acknowledgements:

Red Hat would like to thank Meder Kydyraliev of Google Security Team
for responsibly reporting this issue.

Comment 7 errata-xmlrpc 2010-07-27 12:51:55 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0564 https://rhn.redhat.com/errata/RHSA-2010-0564.html

Comment 8 errata-xmlrpc 2010-07-28 13:20:33 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0564 https://rhn.redhat.com/errata/RHSA-2010-0564.html

Comment 9 Rebecca Newton 2010-09-01 07:26:44 UTC
Documented in the EAP 5.1 Release Notes Fixed Issues as:

Meder Kydyraliev from the Google Security Team identified an issue with the way JBoss parsed JBoss Expression Language expressions, if the Java Security Manager was incorrectly configured. This opened a passage for an attacker to execute arbitrary code. This issue has been resolved by fixing the way JBEL is sanitized prior to the server processing it.

Comment 10 Pete Muir 2010-09-01 09:55:27 UTC
That release note doesn't make much sense, due to mixup of brands and technologies, would recommend:

Meder Kydyraliev from the Google Security Team identified an issue with the way
>>>JBoss Seam<<< handled various >>>Unified Expression Language<<< expressions, if the Java Security
Manager was incorrectly configured. This opened a passage for an attacker to
execute arbitrary code. This issue has been resolved by fixing the way >>>the EL expression<<< is
sanitized prior to the server processing it.

Comment 11 Meder Kydyraliev 2010-09-01 12:53:51 UTC
It'd be great if you guys also announced this bug on the Seam community website instead of only silently releasing 2.2.1.CR2.

Comment 12 Pete Muir 2010-09-01 13:03:58 UTC
It was, I guess you just missed it. FYI http://seamframework.org/Community/Seam221CR2IsAvailableForPublic

Comment 13 Meder Kydyraliev 2010-09-01 13:12:43 UTC
Oh, didn't see that, I was expecting something on: http://seamframework.org/Seam2/Downloads but I guess that works too.

Thanks,
Meder

Comment 14 Rebecca Newton 2010-09-01 23:30:39 UTC
Email correspondence from Murray McAllister:

Documented in the EAP 5.1 Release Notes Fixed Issues as:
>
> Meder Kydyraliev from the Google Security Team identified an issue with the way
> JBoss parsed JBoss Expression Language expressions, if the Java Security
> Manager was incorrectly configured. This opened a passage for an attacker to
> execute arbitrary code. This issue has been resolved by fixing the way JBEL is
> sanitized prior to the server processing it.
>
Is it possible to use the original advisory text instead?

---

An input sanitization flaw was found in the way JBoss Seam processed
certain parametrized JBoss Expression Language (EL) expressions. A remote
attacker could use this flaw to execute arbitrary code via a URL,
containing appended, specially-crafted expression language parameters,
provided to certain applications based on the JBoss Seam framework. Note: A
properly configured and enabled Java Security Manager would prevent
exploitation of this flaw. (CVE-2010-1871)

Red Hat would like to thank Meder Kydyraliev of the Google Security Team
for responsibly reporting this issue.

---

With "CVE-2010-1871" a link to
https://www.redhat.com/security/data/cve/CVE-2010-1871.html ?

Cheers.

---

So I will change the Release Notes to use the original text as suggested by Murray. Thanks for the feedback, let me know if there's anything else I can add.

Rebecca

Comment 15 Josh Bressers 2011-02-03 18:51:57 UTC
Please note:

Seam2 as shipped in JBEAP 4.3. This flaw did not affect the version of Seam shipped in JBEAP 4.2


Note You need to log in before you can comment on or make changes to this bug.