Описание
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
Отчет
For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | jolokia-core | Not affected | ||
| Red Hat AMQ Broker 7 | jolokia-core | Affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | opendaylight | Not affected | ||
| Red Hat JBoss A-MQ 6 | jolokia-core | Will not fix | ||
| Red Hat JBoss Data Virtualization 6 | jolokia-client-java | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jolokia-core | Will not fix | ||
| Red Hat JBoss Fuse Integration Service 2 | jolokia-core | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 11 (Ocata) | opendaylight | Not affected | ||
| Red Hat OpenStack Platform 12 (Pike) | opendaylight | Will not fix |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-99
https://bugzilla.redhat.com/show_bug.cgi?id=1559316jolokia: JMX proxy mode vulnerable to remote code execution
EPSS
Процентиль: 100%
0.91608
Критический
8.1 High
CVSS3
Связанные уязвимости
CVSS3: 8.1
nvd
почти 8 лет назад
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
EPSS
Процентиль: 100%
0.91608
Критический
8.1 High
CVSS3