An improper input sanitization flaw was found in the way JBoss Seam web application framework processed certain parametrized JBoss Expression Language expressions. A remote attacker could use this flaw to execute arbitrary code via a URL, containing appended, specially-crafted expression language parameters, provided to certain applications based on the JBoss Seam framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. References: [1] http://seamframework.org/ [2] http://docs.jboss.org/seam/2.2.0.GA/en-US/html/elenhancements.html Acknowledgements: Red Hat would like to thank Meder Kydyraliev of Google Security Team for responsibly reporting this issue.
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 JBEAP 4.3.0 for RHEL 5 Via RHSA-2010:0564 https://rhn.redhat.com/errata/RHSA-2010-0564.html
Documented in the EAP 5.1 Release Notes Fixed Issues as: Meder Kydyraliev from the Google Security Team identified an issue with the way JBoss parsed JBoss Expression Language expressions, if the Java Security Manager was incorrectly configured. This opened a passage for an attacker to execute arbitrary code. This issue has been resolved by fixing the way JBEL is sanitized prior to the server processing it.
That release note doesn't make much sense, due to mixup of brands and technologies, would recommend: Meder Kydyraliev from the Google Security Team identified an issue with the way >>>JBoss Seam<<< handled various >>>Unified Expression Language<<< expressions, if the Java Security Manager was incorrectly configured. This opened a passage for an attacker to execute arbitrary code. This issue has been resolved by fixing the way >>>the EL expression<<< is sanitized prior to the server processing it.
It'd be great if you guys also announced this bug on the Seam community website instead of only silently releasing 2.2.1.CR2.
It was, I guess you just missed it. FYI http://seamframework.org/Community/Seam221CR2IsAvailableForPublic
Oh, didn't see that, I was expecting something on: http://seamframework.org/Seam2/Downloads but I guess that works too. Thanks, Meder
Email correspondence from Murray McAllister: Documented in the EAP 5.1 Release Notes Fixed Issues as: > > Meder Kydyraliev from the Google Security Team identified an issue with the way > JBoss parsed JBoss Expression Language expressions, if the Java Security > Manager was incorrectly configured. This opened a passage for an attacker to > execute arbitrary code. This issue has been resolved by fixing the way JBEL is > sanitized prior to the server processing it. > Is it possible to use the original advisory text instead? --- An input sanitization flaw was found in the way JBoss Seam processed certain parametrized JBoss Expression Language (EL) expressions. A remote attacker could use this flaw to execute arbitrary code via a URL, containing appended, specially-crafted expression language parameters, provided to certain applications based on the JBoss Seam framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2010-1871) Red Hat would like to thank Meder Kydyraliev of the Google Security Team for responsibly reporting this issue. --- With "CVE-2010-1871" a link to https://www.redhat.com/security/data/cve/CVE-2010-1871.html ? Cheers. --- So I will change the Release Notes to use the original text as suggested by Murray. Thanks for the feedback, let me know if there's anything else I can add. Rebecca
Please note: Seam2 as shipped in JBEAP 4.3. This flaw did not affect the version of Seam shipped in JBEAP 4.2
Hi there, I know this long time to raise the question. I want to ask what are the proper Security Manager configurations that will resolve CVE-2010-1871?