Bug 984034 - (CVE-2013-1768) CVE-2013-1768 openjpa: Remote arbitrary code execution by creating a serialized object and leveraging improperly secured server programs
CVE-2013-1768 openjpa: Remote arbitrary code execution by creating a serializ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130612,repo...
: Security
Depends On: 984040
Blocks: 981152 984048 996321
  Show dependency treegraph
 
Reported: 2013-07-12 11:16 EDT by Jan Lieskovsky
Modified: 2014-04-09 19:57 EDT (History)
9 users (show)

See Also:
Fixed In Version: Apache OpenJPA 1.2.3, Apache OpenJPA 2.2.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-19 19:12:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-07-12 11:16:17 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1768 to the following vulnerability:

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

References:
[1]  http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0099.html
[2]  http://www-01.ibm.com/support/docview.wss?uid=swg21635999
[3]  http://svn.apache.org/viewvc?view=revision&revision=1462076
[4]  http://svn.apache.org/viewvc?view=revision&revision=1462225
[5]  http://svn.apache.org/viewvc?view=revision&revision=1462268
[6]  http://svn.apache.org/viewvc?view=revision&revision=1462318
[7]  http://svn.apache.org/viewvc?view=revision&revision=1462328
[8]  http://svn.apache.org/viewvc?view=revision&revision=1462488
[9]  http://svn.apache.org/viewvc?view=revision&revision=1462512
[10] http://svn.apache.org/viewvc?view=revision&revision=1462558
[11] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86780
[12] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86786
[13] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86788
[14] http://www-01.ibm.com/support/docview.wss?uid=swg1PM86791
[15] http://xforce.iss.net/xforce/xfdb/82268
Comment 1 Jan Lieskovsky 2013-07-12 11:23:43 EDT
This issue affects the versions of the openjpa package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-07-12 11:24:18 EDT
Created openjpa tracking bugs for this issue:

Affects: fedora-all [bug 984040]
Comment 3 gil cattaneo 2013-07-15 04:16:47 EDT
should fixed in 
openjpa-2.2.0-3.fc17
openjpa-2.2.0-3.fc18
openjpa-2.2.1-6.fc19
regards
Comment 5 Fedora Update System 2013-07-21 20:26:16 EDT
openjpa-2.2.0-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-07-21 20:27:27 EDT
openjpa-2.2.1-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-07-21 20:31:27 EDT
openjpa-2.2.0-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2013-08-29 19:30:25 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.0.0

Via RHSA-2013:1185 https://rhn.redhat.com/errata/RHSA-2013-1185.html
Comment 9 gil cattaneo 2013-09-17 06:02:00 EDT
you might as well close,
openjpa-2.2.0-3.fc17
openjpa-2.2.0-3.fc18
openjpa-2.2.1-6.fc19
fix the problem
Comment 10 errata-xmlrpc 2013-12-19 17:50:38 EST
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2013:1862 https://rhn.redhat.com/errata/RHSA-2013-1862.html

Note You need to log in before you can comment on or make changes to this bug.