rhsa-2014:0045
Vulnerability from csaf_redhat
Published
2014-01-20 17:30
Modified
2024-11-22 07:25
Summary
Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update
Notes
Topic
An update for the seam-remoting component of Red Hat JBoss Web Framework
Kit 2.4.0 that fixes two security issues is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
moderate security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat JBoss Web Framework Kit combines popular open source web frameworks
into a single solution for Java applications. The JBoss Seam Remoting
component provides a convenient method of remotely accessing Seam
components from a web page, using AJAX (Asynchronous Javascript and XML).
It was found that the ExecutionHandler, PollHandler, and
SubscriptionHandler classes in JBoss Seam Remoting unmarshalled
user-supplied XML and resolved external entities in this XML. A remote
attacker could use this flaw to read files accessible to the user running
the application server, and potentially perform other more advanced XML
External Entity (XXE) attacks. (CVE-2013-6447)
It was found that the InterfaceGenerator handler in JBoss Seam Remoting
exposed details of all classes and methods on the server's classpath, not
only methods with the org.jboss.seam.annotations.remoting.WebRemote
annotation. A remote attacker could use this flaw to determine which
classes are deployed on the JBoss server. (CVE-2013-6448)
Red Hat would like to thank Jon Passki of Coverity SRL for reporting these
issues.
All users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red
Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the seam-remoting component of Red Hat JBoss Web Framework\nKit 2.4.0 that fixes two security issues is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications. The JBoss Seam Remoting\ncomponent provides a convenient method of remotely accessing Seam\ncomponents from a web page, using AJAX (Asynchronous Javascript and XML).\n\nIt was found that the ExecutionHandler, PollHandler, and\nSubscriptionHandler classes in JBoss Seam Remoting unmarshalled\nuser-supplied XML and resolved external entities in this XML. A remote\nattacker could use this flaw to read files accessible to the user running\nthe application server, and potentially perform other more advanced XML\nExternal Entity (XXE) attacks. (CVE-2013-6447)\n\nIt was found that the InterfaceGenerator handler in JBoss Seam Remoting\nexposed details of all classes and methods on the server\u0027s classpath, not\nonly methods with the org.jboss.seam.annotations.remoting.WebRemote\nannotation. A remote attacker could use this flaw to determine which\nclasses are deployed on the JBoss server. (CVE-2013-6448)\n\nRed Hat would like to thank Jon Passki of Coverity SRL for reporting these\nissues.\n\nAll users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red\nHat Customer Portal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0045",
"url": "https://access.redhat.com/errata/RHSA-2014:0045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0"
},
{
"category": "external",
"summary": "1044784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
},
{
"category": "external",
"summary": "1044794",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0045.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update",
"tracking": {
"current_release_date": "2024-11-22T07:25:26+00:00",
"generator": {
"date": "2024-11-22T07:25:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0045",
"initial_release_date": "2014-01-20T17:30:41+00:00",
"revision_history": [
{
"date": "2014-01-20T17:30:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-01-16T09:52:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:25:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Framework Kit 2.4",
"product": {
"name": "Red Hat JBoss Web Framework Kit 2.4",
"product_id": "Red Hat JBoss Web Framework Kit 2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.4.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Framework Kit"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Jon Passki"
],
"organization": "Coverity SRL"
}
],
"cve": "CVE-2013-6447",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2013-12-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1044784"
}
],
"notes": [
{
"category": "description",
"text": "Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Seam: XML eXternal Entity (XXE) flaw in remoting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects Seam 3 remoting, but Seam 3 is not shipped with any Red Hat products, and Seam 3 development has been terminated. This issue is not currently planned to be addressed in a future update to Seam 3.\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Web Framework Kit 2.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6447"
},
{
"category": "external",
"summary": "RHBZ#1044784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6447",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6447"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447"
}
],
"release_date": "2014-01-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-20T17:30:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"Red Hat JBoss Web Framework Kit 2.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0045"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Web Framework Kit 2.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Seam: XML eXternal Entity (XXE) flaw in remoting"
},
{
"acknowledgments": [
{
"names": [
"Jon Passki"
],
"organization": "Coverity SRL"
}
],
"cve": "CVE-2013-6448",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2013-12-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1044794"
}
],
"notes": [
{
"category": "description",
"text": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Seam: Information disclosure in remoting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Web Framework Kit 2.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6448"
},
{
"category": "external",
"summary": "RHBZ#1044794",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6448",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6448"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448"
}
],
"release_date": "2014-01-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-20T17:30:41+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"Red Hat JBoss Web Framework Kit 2.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0045"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Web Framework Kit 2.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Seam: Information disclosure in remoting"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…