Vulnerabilities > CVE-2011-4610 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Redhat products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
redhat
CWE-119
nessus

Summary

JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1.3, Enterprise Web Platform before 5.1.2, Enterprise Application Platform before 5.1.2, and other products, allows remote attackers to cause a denial of service (infinite loop) via vectors related to a crafted UTF-8 and a "surrogate pair character" that is "at the boundary of an internal buffer."

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL familyRed Hat Local Security Checks
NASL idREDHAT-RHSA-2012-0074.NASL
descriptionUpdated jbossweb packages that fix multiple security issues are now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server. (CVE-2011-4610) It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in
last seen2020-04-16
modified2013-01-24
plugin id64022
published2013-01-24
reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/64022
titleRHEL 5 / 6 : jbossweb (RHSA-2012:0074)
code
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2012:0074. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(64022);
  script_version("1.25");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/15");

  script_cve_id("CVE-2011-1184", "CVE-2011-2526", "CVE-2011-4610", "CVE-2011-4858", "CVE-2011-5062", "CVE-2011-5063", "CVE-2011-5064", "CVE-2012-0022");
  script_xref(name:"RHSA", value:"2012:0074");

  script_name(english:"RHEL 5 / 6 : jbossweb (RHSA-2012:0074)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated jbossweb packages that fix multiple security issues are now
available for JBoss Enterprise Application Platform 5.1.2 for Red Hat
Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

JBoss Web is the web container, based on Apache Tomcat, in JBoss
Enterprise Application Platform. It provides a single deployment
platform for the JavaServer Pages (JSP) and Java Servlet technologies.

A flaw was found in the way JBoss Web handled UTF-8 surrogate pair
characters. If JBoss Web was hosting an application with UTF-8
character encoding enabled, or that included user-supplied UTF-8
strings in a response, a remote attacker could use this flaw to cause
a denial of service (infinite loop) on the JBoss Web server.
(CVE-2011-4610)

It was found that the Java hashCode() method implementation was
susceptible to predictable hash collisions. A remote attacker could
use this flaw to cause JBoss Web to use an excessive amount of CPU
time by sending an HTTP request with a large number of parameters
whose names map to the same hash value. This update introduces a limit
on the number of parameters and headers processed per request to
mitigate this issue. The default limit is 512 for parameters and 128
for headers. These defaults can be changed by setting the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in
'jboss-as/server/[PROFILE]/deploy/properties-service.xml'.
(CVE-2011-4858)

It was found that JBoss Web did not handle large numbers of parameters
and large parameter values efficiently. A remote attacker could make a
JBoss Web server use an excessive amount of CPU time by sending an
HTTP request containing a large number of parameters or large
parameter values. This update introduces limits on the number of
parameters and headers processed per request to address this issue.
Refer to the CVE-2011-4858 description for information about the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

Multiple flaws were found in the way JBoss Web handled HTTP DIGEST
authentication. These flaws weakened the JBoss Web HTTP DIGEST
authentication implementation, subjecting it to some of the weaknesses
of HTTP BASIC authentication, for example, allowing remote attackers
to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062,
CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way JBoss Web handled sendfile request
attributes when using the HTTP APR (Apache Portable Runtime) or NIO
(Non-Blocking I/O) connector. A malicious web application running on a
JBoss Web instance could use this flaw to bypass security manager
restrictions and gain access to files it would otherwise be unable to
access, or possibly terminate the Java Virtual Machine (JVM).
(CVE-2011-2526)

Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610;
oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for
reporting CVE-2011-2526. oCERT acknowledges Julian Walde and
Alexander Klink as the original reporters of CVE-2011-4858.

Warning: Before applying this update, back up your JBoss Enterprise
Application Platform's 'jboss-as/server/[PROFILE]/deploy/' directory,
along with all other customized configuration files.

Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat
Enterprise Linux 4, 5, and 6 should upgrade to these updated packages,
which correct these issues. The JBoss server process must be restarted
for this update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2012:0074"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-2526"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-1184"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-5062"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-5063"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-5064"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-4858"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2012-0022"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-4610"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-el-1.0-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-jsp-2.1-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-lib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-servlet-2.5-api");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2012:0074";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL5", reference:"jbossweb-2.1.12-3_patch_03.2.ep5.el5")) flag++;
  if (rpm_check(release:"RHEL5", reference:"jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el5")) flag++;
  if (rpm_check(release:"RHEL5", reference:"jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el5")) flag++;
  if (rpm_check(release:"RHEL5", reference:"jbossweb-lib-2.1.12-3_patch_03.2.ep5.el5")) flag++;
  if (rpm_check(release:"RHEL5", reference:"jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el5")) flag++;

  if (rpm_check(release:"RHEL6", reference:"jbossweb-2.1.12-3_patch_03.2.ep5.el6")) flag++;
  if (rpm_check(release:"RHEL6", reference:"jbossweb-el-1.0-api-2.1.12-3_patch_03.2.ep5.el6")) flag++;
  if (rpm_check(release:"RHEL6", reference:"jbossweb-jsp-2.1-api-2.1.12-3_patch_03.2.ep5.el6")) flag++;
  if (rpm_check(release:"RHEL6", reference:"jbossweb-lib-2.1.12-3_patch_03.2.ep5.el6")) flag++;
  if (rpm_check(release:"RHEL6", reference:"jbossweb-servlet-2.5-api-2.1.12-3_patch_03.2.ep5.el6")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jbossweb / jbossweb-el-1.0-api / jbossweb-jsp-2.1-api / etc");
  }
}

Redhat

advisories
  • rhsa
    idRHSA-2012:0074
  • rhsa
    idRHSA-2012:0075
  • rhsa
    idRHSA-2012:0076
  • rhsa
    idRHSA-2012:0077
  • rhsa
    idRHSA-2012:0078
  • rhsa
    idRHSA-2012:0325
rpms
  • jbossweb-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-el-1.0-api-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-el-1.0-api-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-el-1.0-api-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-jsp-2.1-api-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-jsp-2.1-api-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-jsp-2.1-api-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-lib-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-lib-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-lib-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-servlet-2.5-api-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-servlet-2.5-api-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-servlet-2.5-api-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-el-1.0-api-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-el-1.0-api-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-el-1.0-api-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-jsp-2.1-api-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-jsp-2.1-api-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-jsp-2.1-api-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-lib-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-lib-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-lib-0:2.1.12-3_patch_03.2.ep5.el6
  • jbossweb-servlet-2.5-api-0:2.1.12-3_patch_03.2.ep5.el4
  • jbossweb-servlet-2.5-api-0:2.1.12-3_patch_03.2.ep5.el5
  • jbossweb-servlet-2.5-api-0:2.1.12-3_patch_03.2.ep5.el6

Seebug

bulletinFamilyexploit
descriptionBugtraq ID: 51829 CVE ID:CVE-2011-4610 JBOSS是一个基于J2EE的开放源代码的应用服务器。 当代理对(Surrogate Pairs)字符位于内部缓冲区边界时JBoss Web会进入一个无限循环,远程攻击者可以利用此缺陷触发对JBoss Web服务器的拒绝服务攻击。此JBoss Web服务器上的应用程序需使用UTF-8字符编码或在应答中包含用户提供的UTF-8字符串。 0 Red Hat JBoss Enterprise Web Platform 5.1.2 Red Hat JBoss Enterprise Web Platform 5 EL6 Red Hat JBoss Enterprise Web Platform 5 EL5 Red Hat JBoss Enterprise Web Platform 5 EL4 Red Hat JBoss Enterprise Application Platform 5.1.2 Red Hat JBoss Enterprise Application Platform 5 EL6 Red Hat JBoss Enterprise Application Platform 5 EL5 Red Hat JBoss Enterprise Application Platform 5 EL4 Red Hat JBoss Communications Platform 5.1.3 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: https://rhn.redhat.com/errata/RHSA-2012-0078.html
idSSV:30081
last seen2017-11-19
modified2012-02-04
published2012-02-04
reporterRoot
titleJBoss Web 远程拒绝服务漏洞(CVE-2011-4610)