Bug 730176 – CVE-2011-2908 CSRF on jmx-console allows invocation of operations on mbeans

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 730176 - (CVE-2011-2908) CVE-2011-2908 CSRF on jmx-console allows invocation of operations on mbeans

Summary:	CVE-2011-2908 CSRF on jmx-console allows invocation of operations on mbeans

Status:	CLOSED ERRATA

Aliases:	CVE-2011-2908

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	public=20070222,reported=20070222,sou...
Keywords:	Security

Depends On:	844869 844870 844871
Blocks:	730190 789173 844880 849517
	Show dependency tree / graph

Reported:	2011-08-11 22:13 EDT by David Jorm
Modified:	2016-03-04 06:04 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-01-24 18:15:46 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:1152	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise SOA Platform 5.3.0 security update	2012-08-08 16:10:27 EDT
Red Hat Product Errata	RHSA-2012:1165	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise BRMS Platform 5.3.0 update	2012-08-13 15:58:09 EDT
Red Hat Product Errata	RHSA-2012:1232	normal	SHIPPED_LIVE	Important: JBoss Enterprise Portal Platform 5.2.2 update	2012-09-05 16:25:36 EDT
Red Hat Product Errata	RHSA-2013:0191	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 5.2.0 update	2013-01-24 18:30:08 EST
Red Hat Product Errata	RHSA-2013:0192	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 5.2.0 update	2013-01-24 18:28:23 EST
Red Hat Product Errata	RHSA-2013:0193	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 5.2.0 update	2013-01-24 18:42:29 EST
Red Hat Product Errata	RHSA-2013:0194	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 5.2.0 update	2013-01-24 18:08:14 EST
Red Hat Product Errata	RHSA-2013:0195	normal	SHIPPED_LIVE	Important: JBoss Enterprise Web Platform 5.2.0 update	2013-01-24 18:41:24 EST
Red Hat Product Errata	RHSA-2013:0196	normal	SHIPPED_LIVE	Important: JBoss Enterprise Web Platform 5.2.0 update	2013-01-24 18:55:46 EST
Red Hat Product Errata	RHSA-2013:0197	normal	SHIPPED_LIVE	Important: JBoss Enterprise Web Platform 5.2.0 update	2013-01-24 18:54:22 EST
Red Hat Product Errata	RHSA-2013:0198	normal	SHIPPED_LIVE	Important: JBoss Enterprise Web Platform 5.2.0 update	2013-01-24 19:07:17 EST

Groups: None (edit)

Description David Jorm 2011-08-11 22:13:57 EDT

The JMX console as shipped with JBoss EAP 5.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. This vulnerability allows an attacker to invoke operations on mbeans via the JMX console.

Comment 4 errata-xmlrpc 2012-08-08 12:12:14 EDT

This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2012:1152 https://rhn.redhat.com/errata/RHSA-2012-1152.html

Comment 5 errata-xmlrpc 2012-08-13 11:59:01 EDT

This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.0

Via RHSA-2012:1165 https://rhn.redhat.com/errata/RHSA-2012-1165.html

Comment 6 errata-xmlrpc 2012-09-05 12:26:55 EDT

This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html

Comment 7 errata-xmlrpc 2013-01-24 13:09:17 EST

This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html

Comment 8 errata-xmlrpc 2013-01-24 13:32:13 EST

This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html

Comment 9 errata-xmlrpc 2013-01-24 13:33:00 EST

This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html

Comment 10 errata-xmlrpc 2013-01-24 13:45:17 EST

This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html

Comment 11 errata-xmlrpc 2013-01-24 13:46:03 EST

This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html

Comment 12 errata-xmlrpc 2013-01-24 13:58:17 EST

This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html

Comment 13 errata-xmlrpc 2013-01-24 13:59:11 EST

This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html

Comment 14 errata-xmlrpc 2013-01-24 14:08:17 EST

This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html

Note You need to log in before you can comment on or make changes to this bug.