Vulnerabilities > CVE-2008-3519 - Configuration vulnerability in Redhat Jboss Enterprise Application Platform 4.2/4.3
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 6 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0832.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix various security issues are now available for Red Hat Enterprise Linux 5 as JBEAP 4.3.0.CP02. This update has been rated as having low security impact by the Red Hat Security Response Team. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 5 serves as a replacement to JBEAP 4.3.0.CP01. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section. The following security issues are also fixed with this release : The default security policy in the JULI logging component did not restrict access permissions to files. This could be misused by untrusted web applications to access and write arbitrary files in the context of the tomcat process. (CVE-2007-5342) The property that controls the download of server classes was set to last seen 2020-06-01 modified 2020-06-02 plugin id 63865 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63865 title RHEL 5 : JBoss EAP (RHSA-2008:0832) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0831.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix various security issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.3.0.CP02. This update has been rated as having low security impact by the Red Hat Security Response Team. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 4 serves as a replacement to JBEAP 4.3.0.CP01. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section. The following security issues are also fixed with this release : The default security policy in the JULI logging component did not restrict access permissions to files. This could be misused by untrusted web applications to access and write arbitrary files in the context of the tomcat process. (CVE-2007-5342) The property that controls the download of server classes was set to last seen 2020-06-01 modified 2020-06-02 plugin id 63864 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63864 title RHEL 4 : JBoss EAP (RHSA-2008:0831) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0834.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix various security issues are now available for Red Hat Enterprise Linux 5 as JBEAP 4.2.0.CP04. This update has been rated as having low security impact by the Red Hat Security Response Team. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 5 serves as a replacement to JBEAP 4.2.0.CP03. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section. The following security issues are also fixed with this release : The default security policy in the JULI logging component did not restrict access permissions to files. This could be misused by untrusted web applications to access and write arbitrary files in the context of the tomcat process. (CVE-2007-5342) The property that controls the download of server classes was set to last seen 2020-06-01 modified 2020-06-02 plugin id 63867 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63867 title RHEL 5 : JBoss EAP (RHSA-2008:0834) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0833.NASL description Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix various security issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.2.0.CP04. This update has been rated as having low security impact by the Red Hat Security Response Team. JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 4 serves as a replacement to JBEAP 4.2.0.CP03. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section. The following security issues are also fixed with this release : The default security policy in the JULI logging component did not restrict access permissions to files. This could be misused by untrusted web applications to access and write arbitrary files in the context of the tomcat process. (CVE-2007-5342) The property that controls the download of server classes was set to last seen 2020-06-01 modified 2020-06-02 plugin id 63866 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63866 title RHEL 4 : JBoss EAP (RHSA-2008:0833)
Redhat
advisories |
| ||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 31300 CVE ID:CVE-2008-3519 CNCVE ID:CNCVE-20083519 JBoss Enterprise Application Platform是一款企业级应用程序平台,用于基于JBoss的应用开发。 JBoss企业级应用平台存在配置错误,远程攻击者可以利用漏洞获得敏感信息。 EAP的JBossAs组件在'production'中设置DownloadServerClasses属性为'true',而一个产品环境必须默认设置为'false'来防止非EJB类的下载,这可导致信息泄漏。 RedHat JBoss Enterprise Application Platform 4.3 EL5 RedHat JBoss Enterprise Application Platform 4.3 EL4 RedHat JBoss Enterprise Application Platform 4.3 CP01 RedHat JBoss Enterprise Application Platform 4.3 RedHat JBoss Enterprise Application Platform 4.2 EL5 RedHat JBoss Enterprise Application Platform 4.2 EL4 RedHat JBoss Enterprise Application Platform 4.2 CP03 RedHat JBoss Enterprise Application Platform 4.2 可参考如下链接获得补丁信息: <a href=http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html target=_blank>http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html</a> <a href=http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html target=_blank>http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html</a> |
id | SSV:4083 |
last seen | 2017-11-19 |
modified | 2008-09-24 |
published | 2008-09-24 |
reporter | Root |
title | JBoss Enterprise Application Platform类文件信息泄漏漏洞 |
References
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html
- http://www.redhat.com/support/errata/RHSA-2008-0831.html
- http://www.redhat.com/support/errata/RHSA-2008-0831.html
- http://www.redhat.com/support/errata/RHSA-2008-0832.html
- http://www.redhat.com/support/errata/RHSA-2008-0832.html
- http://www.redhat.com/support/errata/RHSA-2008-0833.html
- http://www.redhat.com/support/errata/RHSA-2008-0833.html
- http://www.redhat.com/support/errata/RHSA-2008-0834.html
- http://www.redhat.com/support/errata/RHSA-2008-0834.html
- http://www.securityfocus.com/bid/31300
- http://www.securityfocus.com/bid/31300
- http://www.securitytracker.com/id?1020905
- http://www.securitytracker.com/id?1020905
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45305
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45305