Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 615956 - (CVE-2010-1871) CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)
CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100727,reported=20100719,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-19 07:31 EDT by Jan Lieskovsky
Modified: 2018-03-02 04:38 EST (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-21 00:52:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0564 normal SHIPPED_LIVE Important: jboss-seam2 security update 2010-07-28 09:20:30 EDT

  None (edit)
Description Jan Lieskovsky 2010-07-19 07:31:33 EDT
An improper input sanitization flaw was found in the way JBoss Seam
web application framework processed certain parametrized JBoss
Expression Language expressions. A remote attacker could use this flaw
to execute arbitrary code via a URL, containing appended, specially-crafted
expression language parameters, provided to certain applications based on
the JBoss Seam framework. Note: A properly configured and enabled Java
Security Manager would prevent exploitation of this flaw.

References:
  [1] http://seamframework.org/
  [2] http://docs.jboss.org/seam/2.2.0.GA/en-US/html/elenhancements.html

Acknowledgements:

Red Hat would like to thank Meder Kydyraliev of Google Security Team
for responsibly reporting this issue.
Comment 7 errata-xmlrpc 2010-07-27 08:51:55 EDT
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0564 https://rhn.redhat.com/errata/RHSA-2010-0564.html
Comment 8 errata-xmlrpc 2010-07-28 09:20:33 EDT
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0564 https://rhn.redhat.com/errata/RHSA-2010-0564.html
Comment 9 Rebecca Newton 2010-09-01 03:26:44 EDT
Documented in the EAP 5.1 Release Notes Fixed Issues as:

Meder Kydyraliev from the Google Security Team identified an issue with the way JBoss parsed JBoss Expression Language expressions, if the Java Security Manager was incorrectly configured. This opened a passage for an attacker to execute arbitrary code. This issue has been resolved by fixing the way JBEL is sanitized prior to the server processing it.
Comment 10 Pete Muir 2010-09-01 05:55:27 EDT
That release note doesn't make much sense, due to mixup of brands and technologies, would recommend:

Meder Kydyraliev from the Google Security Team identified an issue with the way
>>>JBoss Seam<<< handled various >>>Unified Expression Language<<< expressions, if the Java Security
Manager was incorrectly configured. This opened a passage for an attacker to
execute arbitrary code. This issue has been resolved by fixing the way >>>the EL expression<<< is
sanitized prior to the server processing it.
Comment 11 Meder Kydyraliev 2010-09-01 08:53:51 EDT
It'd be great if you guys also announced this bug on the Seam community website instead of only silently releasing 2.2.1.CR2.
Comment 12 Pete Muir 2010-09-01 09:03:58 EDT
It was, I guess you just missed it. FYI http://seamframework.org/Community/Seam221CR2IsAvailableForPublic
Comment 13 Meder Kydyraliev 2010-09-01 09:12:43 EDT
Oh, didn't see that, I was expecting something on: http://seamframework.org/Seam2/Downloads but I guess that works too.

Thanks,
Meder
Comment 14 Rebecca Newton 2010-09-01 19:30:39 EDT
Email correspondence from Murray McAllister:

Documented in the EAP 5.1 Release Notes Fixed Issues as:
>
> Meder Kydyraliev from the Google Security Team identified an issue with the way
> JBoss parsed JBoss Expression Language expressions, if the Java Security
> Manager was incorrectly configured. This opened a passage for an attacker to
> execute arbitrary code. This issue has been resolved by fixing the way JBEL is
> sanitized prior to the server processing it.
>
Is it possible to use the original advisory text instead?

---

An input sanitization flaw was found in the way JBoss Seam processed
certain parametrized JBoss Expression Language (EL) expressions. A remote
attacker could use this flaw to execute arbitrary code via a URL,
containing appended, specially-crafted expression language parameters,
provided to certain applications based on the JBoss Seam framework. Note: A
properly configured and enabled Java Security Manager would prevent
exploitation of this flaw. (CVE-2010-1871)

Red Hat would like to thank Meder Kydyraliev of the Google Security Team
for responsibly reporting this issue.

---

With "CVE-2010-1871" a link to
https://www.redhat.com/security/data/cve/CVE-2010-1871.html ?

Cheers.

---

So I will change the Release Notes to use the original text as suggested by Murray. Thanks for the feedback, let me know if there's anything else I can add.

Rebecca
Comment 15 Josh Bressers 2011-02-03 13:51:57 EST
Please note:

Seam2 as shipped in JBEAP 4.3. This flaw did not affect the version of Seam shipped in JBEAP 4.2

Note You need to log in before you can comment on or make changes to this bug.