772514 – (CVE-2012-0032) CVE-2012-0032 JON CLI: world-writable root directory

Bug 772514 (CVE-2012-0032) - CVE-2012-0032 JON CLI: world-writable root directory

Summary: CVE-2012-0032 JON CLI: world-writable root directory

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-0032
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	772515 804887
TreeView+	depends on / blocked

Reported:	2012-01-09 01:03 UTC by David Jorm
Modified:	2019-09-29 12:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-03-20 17:34:18 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0406	0	normal	SHIPPED_LIVE	Important: JBoss Operations Network 3.0.1 update	2012-03-20 21:08:42 UTC

Description David Jorm 2012-01-09 01:03:35 UTC

After installing the remote client from JON 3.0, the extracted root directory is world readable/writeable/executable (0777). Although the child directories are not world writeable, by the parent directory being left in a world writeable state, it is possible to modify directory and file attributes on the child contents to trick the user into executing malicious scripts or code. A local attacker could use this flaw to compromise a remote JON server, using the credentials stolen from a privileged JON user who is using the remote client CLI from a system the local attacker has access to.

Comment 2 errata-xmlrpc 2012-03-20 17:09:25 UTC

This issue has been addressed in following products:

  JBoss Operations Network 3.0.1

Via RHSA-2012:0406 https://rhn.redhat.com/errata/RHSA-2012-0406.html

Note You need to log in before you can comment on or make changes to this bug.