The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of JBoss AS OpenSource

computer vulnerability CVE-2016-0793

WildFly: file reading WEB-INF/META-INF

Synthesis of the vulnerability

An attacker can read a WEB-INF/META-INF file of WildFly, in order to obtain sensitive information.
Impacted products: Brocade Network Advisor, Unisphere EMC, JBoss AS OpenSource, WildFly.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 04/04/2016.
Identifiers: 1305937, 499009, BSA-2017-314, CVE-2016-0793, ESA-2017-056, VIGILANCE-VUL-19295.

Description of the vulnerability

The WildFly product uses a filter to forbid the WEB-INF/META-INF files to be read.

However, on Windows, an attacker can use lowercase characters, to bypass file access restrictions of WEB-INF/META-INF.

An attacker can therefore read a WEB-INF/META-INF file of WildFly, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-4852 CVE-2015-6420 CVE-2015-6934

Apache Commons Collections: code execution via InvokerTransformer

Synthesis of the vulnerability

An attacker can send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Impacted products: CAS Server, Blue Coat CAS, SGOS by Blue Coat, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco Prime Access Registrar, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, Cisco Unity ~ precise, Debian, BIG-IP Hardware, TMOS, HPE BSM, HPE NNMi, HP Operations, DB2 UDB, Domino, Notes, IRAD, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, JBoss AS OpenSource, Junos Space, ePO, Mule ESB, Snap Creator Framework, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Unix (platform) ~ not comprehensive, vCenter Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 12.
Creation date: 12/11/2015.
Identifiers: 1610582, 1970575, 1971370, 1971531, 1971533, 1971751, 1972261, 1972373, 1972565, 1972794, 1972839, 2011281, 7014463, 7022958, 9010052, BSA-2016-004, bulletinjul2016, c04953244, c05050545, c05206507, c05325823, c05327447, CERTFR-2015-AVI-484, CERTFR-2015-AVI-555, cisco-sa-20151209-java-deserialization, COLLECTIONS-580, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CVE-2015-4852, CVE-2015-6420, CVE-2015-6934, CVE-2015-7420-ERROR, CVE-2015-7450, CVE-2015-7501, CVE-2015-8545, CVE-2015-8765, CVE-2016-1985, CVE-2016-1997, CVE-2016-4373, CVE-2016-4398, DSA-3403-1, HPSBGN03542, HPSBGN03560, HPSBGN03630, HPSBGN03656, HPSBGN03670, JSA10838, NTAP-20151123-0001, RHSA-2015:2500-01, RHSA-2015:2501-01, RHSA-2015:2502-01, RHSA-2015:2516-01, RHSA-2015:2517-01, RHSA-2015:2521-01, RHSA-2015:2522-01, RHSA-2015:2523-01, RHSA-2015:2524-01, RHSA-2015:2534-01, RHSA-2015:2535-01, RHSA-2015:2536-01, RHSA-2015:2537-01, RHSA-2015:2538-01, RHSA-2015:2539-01, RHSA-2015:2540-01, RHSA-2015:2541-01, RHSA-2015:2542-01, RHSA-2015:2547-01, RHSA-2015:2548-01, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2559-01, RHSA-2015:2560-01, RHSA-2015:2578-01, RHSA-2015:2579-01, RHSA-2015:2670-01, RHSA-2015:2671-01, RHSA-2016:0040-01, RHSA-2016:0118-01, SA110, SB10144, SOL30518307, VIGILANCE-VUL-18294, VMSA-2015-0009, VMSA-2015-0009.1, VMSA-2015-0009.2, VMSA-2015-0009.3, VMSA-2015-0009.4, VU#576313.

Description of the vulnerability

The Apache Commons Collections library is used by several Java applications.

A Java Gadgets ("gadget chains") object can contain Transformers, with an "exec" string containing a shell command which is run with the Java.lang.Runtime.exec() method. When raw data are unserialized, the readObject() method is thus called to rebuild the Gadgets object, and it uses InvokerTransformer, which runs the indicated shell command.

It can be noted that other classes (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure) also execute a shell command from raw data to deserialize.

However, several applications publicly expose (before authentication) the Java unserialization feature.

An attacker can therefore send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-0874 CVE-2013-4810

JBoss AS 4, 5: code execution via Invoker

Synthesis of the vulnerability

An attacker can use EJBInvokerServlet / JMXInvokerServlet of JBoss AS 4/5, in order to deploy a shell code, which is executed on the server.
Impacted products: JBoss AS OpenSource, RHEL, JBoss EAP by Red Hat.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/11/2013.
Identifiers: 795645, BID-57552, CVE-2012-0874, CVE-2013-4810, RHSA-2013:0191-01, RHSA-2013:0192-01, RHSA-2013:0193-01, RHSA-2013:0194-01, RHSA-2013:0195-01, RHSA-2013:0196-01, RHSA-2013:0197-01, RHSA-2013:0198-01, RHSA-2013:0221-01, RHSA-2013:0533-01, VIGILANCE-VUL-13802.

Description of the vulnerability

In versions 4 and 5 of JBoss AS, the HTTP Invoker service is used to access to EJB (Enterprise Java Beans) via RMI/HTTP.

However, access to the EJBInvokerServlet and JMXInvokerServlet servlets does not require an authentication by default.

An attacker can therefore use EJBInvokerServlet / JMXInvokerServlet of JBoss AS 4/5, in order to deploy a shell code, which is executed on the server.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-5066

JBoss AS 5: password reading via twiddle.sh

Synthesis of the vulnerability

When the twiddle.sh script is used, a local attacker can use the ps command, in order to read the password.
Impacted products: JBoss AS OpenSource, RHEL, JBoss EAP by Red Hat.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: user shell.
Creation date: 23/07/2012.
Identifiers: BID-54631, CVE-2009-5066, JBPAPP-3391, RHSA-2013:0191-01, RHSA-2013:0192-01, RHSA-2013:0193-01, RHSA-2013:0194-01, RHSA-2013:0195-01, RHSA-2013:0196-01, RHSA-2013:0197-01, RHSA-2013:0198-01, RHSA-2013:0221-01, RHSA-2013:0533-01, VIGILANCE-VUL-11787.

Description of the vulnerability

The twiddle.sh script, which is provided with JBoss Application Server version 5, is used to connect to a JMX server. It uses twiddle.jar.

However, the login/password has to be provided on the command line. For example:
  ./twiddle.sh --user=MyLogin --password=MyPassword ...

When the twiddle.sh script is used, a local attacker can therefore use the ps command, in order to read the password.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-3606 CVE-2011-3609

JBoss AS: two vulnerabilities of the Console

Synthesis of the vulnerability

An attacker can create a Cross Site Scripting and a Cross Site Request Forgery in the administration Console of JBoss AS.
Impacted products: JBoss AS OpenSource, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/12/2011.
Identifiers: 742984, 743006, BID-50885, BID-50888, CERTA-2011-AVI-671, CVE-2011-3606, CVE-2011-3609, VIGILANCE-VUL-11188.

Description of the vulnerability

Two vulnerabilities were announced in the administration Console of JBoss Application Server.

An attacker can generate a Cross Site Scripting via the OnError event, in order to execute JavaScript code in the context of the web site. [severity:2/4; 742984, BID-50885, CERTA-2011-AVI-671, CVE-2011-3606]

An attacker can use JSON, in order to create a Cross Site Request Forgery, to execute administrative commands. [severity:2/4; 743006, BID-50888, CVE-2011-3609]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-4476

Java JRE: denial of service via a real

Synthesis of the vulnerability

An attacker can use a special double floating point number, in order to create an infinite loop in Java programs.
Impacted products: Debian, Fedora, HPE BAC, HPE NNMi, OpenView, OpenView NNM, Tru64 UNIX, HP-UX, AIX, DB2 UDB, Tivoli Directory Server, Tivoli Storage Manager, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, JBoss AS OpenSource, Mandriva Linux, NLD, OES, Java OpenJDK, openSUSE, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SLES.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 02/02/2011.
Identifiers: 1468291, BID-46091, c02729756, c02738573, c02746026, c02752210, c02775276, c02826781, c02906075, c03090723, c03316985, CERTA-2002-AVI-271, CERTA-2012-AVI-286, cpuapr2011, CVE-2010-4476, DSA-2161-1, DSA-2161-2, FEDORA-2011-1231, FEDORA-2011-1263, HPSBMU02690, HPSBTU02684, HPSBUX02633, HPSBUX02641, HPSBUX02642, HPSBUX02645, HPSBUX02685, HPSBUX02725, HPSBUX02777, IZ94331, javacpufeb2011, MDVSA-2011:054, openSUSE-SU-2011:0126-1, PM32175, PM32177, PM32184, PM32192, PM32194, RHSA-2011:0210-01, RHSA-2011:0211-01, RHSA-2011:0212-01, RHSA-2011:0213-01, RHSA-2011:0214-01, RHSA-2011:0282-01, RHSA-2011:0290-01, RHSA-2011:0291-01, RHSA-2011:0292-01, RHSA-2011:0299-01, RHSA-2011:0333-01, RHSA-2011:0334-01, RHSA-2011:0336-01, RHSA-2011:0348-01, RHSA-2011:0349-01, RHSA-2011:0880-01, SSRT100387, SSRT100390, SSRT100412, SSRT100415, SSRT100505, SSRT100569, SSRT100627, SSRT100854, SUSE-SA:2011:010, SUSE-SA:2011:014, SUSE-SR:2011:008, SUSE-SU-2011:0823-1, swg21469266, swg24030066, swg24030067, VIGILANCE-VUL-10321.

Description of the vulnerability

The number 2.2250738585072011e-308 if the "largest subnormal double number" (in base 2 : 0x0fffffffffffff x 2^-1022).

On a x86 processor, the Java JRE uses x87 FPU registers (80 bit), in order to find bit-after-bit the closest real value. This loop stops when the remainder is inferior to the precision. However, with the number 2.225..., this stop condition is never true (80 bit rounded to 64 bit), and an infinite loop occurs.

An attacker can therefore use a special double floating point number, in order to create an infinite loop in Java programs.

The origin of this vulnerability is the same as VIGILANCE-VUL-10257.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-2474

JBoss: privilege elevation via ESB

Synthesis of the vulnerability

In some cases, data of a service using the ESB component can be processed with incorrect privileges.
Impacted products: JBoss AS OpenSource.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Creation date: 23/07/2010.
Identifiers: 609442, BID-41915, CERTA-2010-AVI-336, CERTA-2010-AVI-354, CVE-2010-2474, VIGILANCE-VUL-9786.

Description of the vulnerability

The JBoss ESB component provides the communication interface for distributed services.

In the normal case, a service runs with credentials of its domain.

However, in some cases, data of a service using the ESB component can be processed with incorrect privileges.

A service can therefore be run with elevated privileges, which can create a vulnerability, depending on the service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 9711

JBoss AS: Cross Site Request Forgery of JMX Console

Synthesis of the vulnerability

When the administrator is logged on the JMX Console of JBoss AS, an attacker can invite him to display a malicious web page, in order to automatically deploy a WAR file via the DeploymentFileRepository MBean.
Impacted products: JBoss AS OpenSource, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: document.
Creation date: 16/06/2010.
Identifiers: VIGILANCE-VUL-9711.

Description of the vulnerability

The JMX Console of JBoss Application Server is used to administer the site.

The DeploymentFileRepository MBean is used to easily deploy a WAR application on the site.

The page http://server:8080/jmxconsole/HtmlAdaptor can directly call DeploymentFileRepository, without confirmation, in order to deploy a malicious application.

When the administrator is logged on the JMX Console of JBoss AS, an attacker can therefore invite him to display a malicious web page containing an image to HtmlAdaptor, in order to automatically deploy a WAR file via the DeploymentFileRepository MBean.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2008-5515 CVE-2009-0033 CVE-2009-0580

Apache Tomcat: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apache Tomcat in order to generate a denial of service or to obtain information.
Impacted products: Tomcat, BES, Debian, Fedora, Performance Center, HP-UX, JBoss AS OpenSource, NSM Central Manager, NSMXpress, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 04/06/2009.
Revisions dates: 09/06/2009, 10/06/2010.
Identifiers: 263529, 6848375, 6849727, BID-35193, BID-35196, BID-35263, BID-35416, c01908935, c02181353, c02515878, CERTA-2009-AVI-211, CERTA-2010-AVI-220, CERTA-2011-AVI-169, CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0783, DSA-2207-1, FEDORA-2009-11352, FEDORA-2009-11356, FEDORA-2009-11374, HPSBMA02535, HPSBUX02466, HPSBUX02579, KB25966, MDVSA-2009:136, MDVSA-2009:138, MDVSA-2009:163, MDVSA-2010:176, PSN-2012-05-584, RHSA-2009:1143-01, RHSA-2009:1144-01, RHSA-2009:1145-01, RHSA-2009:1146-01, RHSA-2009:1164-01, RHSA-2009:1454-01, RHSA-2009:1506-01, RHSA-2009:1562-01, RHSA-2009:1563-01, RHSA-2009:1616-01, RHSA-2009:1617-01, RHSA-2010:0602-02, SSRT090192, SSRT100029, SSRT100203, SUSE-SR:2009:012, SUSE-SR:2010:008, VIGILANCE-VUL-8762, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.

Description of the vulnerability

Several vulnerabilities were announced in Apache Tomcat.

An attacker can use invalid headers in order to close the AJP connection. [severity:2/4; BID-35193, CVE-2009-0033]

When form authentication (j_security_check) is in mode MemoryRealm, DataSourceRealm or JDBCRealm, an attacker can use an invalid url encoding for the password. He can then detect if a username is valid. [severity:2/4; BID-35196, CVE-2009-0580]

A web application can change the XML parser, and thus access to the web.xml/context.xml file of another application. [severity:1/4; BID-35416, CVE-2009-0783]

The url path is unnecessary canonized in ApplicationHttpRequest.java. The url "http://s/dir1/dir2?/../" is for example converted to "http://s/dir1/". [severity:2/4; BID-35263, CERTA-2009-AVI-211, CERTA-2010-AVI-220, CVE-2008-5515]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-1191

Apache Tomcat: information disclosure via mod_proxy_ajp

Synthesis of the vulnerability

In some cases, the mod_proxy_ajp module can send to the client data belonging to another user.
Impacted products: Apache httpd, JBoss AS OpenSource, Mandriva Linux, OpenSolaris, Solaris, RHEL, Slackware.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 23/04/2009.
Identifiers: 46949, BID-34663, CVE-2009-1191, MDVSA-2009:102, MDVSA-2009:323, RHSA-2009:1058-01, SSA:2009-214-01, VIGILANCE-VUL-8669.

Description of the vulnerability

The mod_proxy_ajp module is the interface between the Apache httpd server and the Apache Tomcat server.

An AJP (Apache JServ Protocol) request is composed of:
 - an header
 - a body ("POST")

However, if the client closes the session before sending the body, the mod_proxy_ajp module of Apache httpd 2.2.11 desynchronizes. Data belonging to another user can thus be returned to the client. This vulnerability is different from VIGILANCE-VUL-8609.

In some cases, the mod_proxy_ajp module can therefore send to the client data belonging to another user.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about JBoss AS OpenSource: