Bug 973570 (CVE-2013-2165) - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization
Summary: CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserial...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2165
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 973872 973873 973874 973875 973876 973878 978369 978474 978907 979405
Blocks: 973001 1025132
TreeView+ depends on / blocked
 
Reported: 2013-06-12 08:48 UTC by Arun Babu Neelicattu
Modified: 2021-08-11 12:57 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-11 05:03:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBPAPP-10776 0 Critical Resolved CVE-2013-2165 JBoss RichFaces Issue [eap-5] 2018-11-13 06:18:54 UTC
Red Hat Issue Tracker JBPAPP-10777 0 Critical Resolved CVE-2013-2165 JBoss RichFaces Issue [eap-4] 2018-11-13 06:18:54 UTC
Red Hat Issue Tracker JBPAPP-11268 0 Blocker Pending Upload to Patch Repository CVE-2018-12533 RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit... 2018-11-13 06:18:54 UTC
Red Hat Product Errata RHSA-2013:1041 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Web Framework Kit 2.3.0 update 2013-07-11 03:44:29 UTC
Red Hat Product Errata RHSA-2013:1042 0 normal SHIPPED_LIVE Critical: richfaces security update 2013-07-11 03:55:30 UTC
Red Hat Product Errata RHSA-2013:1043 0 normal SHIPPED_LIVE Critical: richfaces security update 2013-07-11 03:55:22 UTC
Red Hat Product Errata RHSA-2013:1044 0 normal SHIPPED_LIVE Critical: jboss-seam2 security update 2013-07-11 04:17:04 UTC
Red Hat Product Errata RHSA-2013:1045 0 normal SHIPPED_LIVE Critical: RichFaces security update 2013-07-11 04:16:59 UTC

Description Arun Babu Neelicattu 2013-06-12 08:48:56 UTC 
A flaw was found in the way JBoss RichFaces handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.
Comment 9 errata-xmlrpc 2013-07-10 23:45:51 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Web Framework Kit 2.3.0

Via RHSA-2013:1041 https://rhn.redhat.com/errata/RHSA-2013-1041.html
Comment 10 errata-xmlrpc 2013-07-10 23:57:02 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 4

Via RHSA-2013:1043 https://rhn.redhat.com/errata/RHSA-2013-1043.html
Comment 11 errata-xmlrpc 2013-07-10 23:57:11 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4

Via RHSA-2013:1042 https://rhn.redhat.com/errata/RHSA-2013-1042.html
Comment 12 errata-xmlrpc 2013-07-11 00:18:27 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 4.3.0 CP10
  Red Hat JBoss Enterprise Application Platform 5.2.0
  Red Hat JBoss Web Platform 5.2.0
  Red Hat JBoss BRMS 5.3.1
  Red Hat JBoss SOA Platform 4.3.0 CP05
  Red Hat JBoss SOA Platform 5.3.1
  Red Hat JBoss Portal 4.3 CP07
  Red Hat JBoss Portal 5.2.2
  Red Hat JBoss Operations Network 2.4.2
  Red Hat JBoss Operations Network 3.1.2

Via RHSA-2013:1045 https://rhn.redhat.com/errata/RHSA-2013-1045.html
Comment 13 errata-xmlrpc 2013-07-11 00:20:16 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:1044 https://rhn.redhat.com/errata/RHSA-2013-1044.html
Note You need to log in before you can comment on or make changes to this bug.