Описание
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data.
Отчет
Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.
Меры по смягчению последствий
Secure the access to the entire http-invoker contexts by adding /* to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6 | eap-parent | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | eap-parent | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5.2 security update | eap-parent | Fixed | RHSA-2018:1608 | 17.05.2018 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 | jbossas | Fixed | RHSA-2018:1607 | 17.05.2018 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 | jbossas | Fixed | RHSA-2018:1607 | 17.05.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
In Jboss Application Server as shipped with Red Hat Enterprise Applica ...
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Уязвимость метода doFilter в ReadOnlyAccessFilter HTTP платформы JBoss Enterprise Application Platform, позволяющая нарушителю выполнить произвольный код
EPSS
9.8 Critical
CVSS3