Vulnerabilities > CVE-2013-4128 - Configuration vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
redhat
CWE-16
nessus

Summary

Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client.

Vulnerable Configurations

Part Description Count
Application
Redhat
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-1437.NASL
    descriptionThe version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users
    last seen2020-06-01
    modified2020-06-02
    plugin id72237
    published2014-01-31
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72237
    titleJBoss Portal 6.1.0 Update (RHSA-2013:1437)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(72237);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/24 15:35:37");
    
      script_cve_id(
        "CVE-2012-4431",
        "CVE-2012-4529",
        "CVE-2012-4572",
        "CVE-2012-5575",
        "CVE-2013-1921",
        "CVE-2013-2067",
        "CVE-2013-2102",
        "CVE-2013-2160",
        "CVE-2013-2172",
        "CVE-2013-4112",
        "CVE-2013-4128",
        "CVE-2013-4213"
      );
      script_bugtraq_id(
        56814,
        59799,
        60040,
        60043,
        60045,
        60846,
        61030,
        61179,
        61739,
        61742,
        62256,
        63196
      );
      script_xref(name:"RHSA", value:"2013:1437");
    
      script_name(english:"JBoss Portal 6.1.0 Update (RHSA-2013:1437)");
      script_summary(english:"Checks for the install versions of JBoss Portal");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The version of JBoss Enterprise Portal Platform on the remote system is
    affected by the following issues:
    
      - A flaw in CSRF prevention filter in JBoss Web could allow
        remote attackers to bypass the cross-site request forgery
        (CSRF) protection mechanism via a request that lacks a
        session identifier. (CVE-2012-4431)
    
      - A flaw that occurs when the COOKIE session tracking
        method is used can allow attackers to hijack users'
        sessions. (CVE-2012-4529)
    
      - A flaw that occurs when multiple applications use the
        same custom authorization module class name can allow a
        local attacker to deploy a malicious application that
        overrides the custom authorization modules provided by
        other applications. (CVE-2012-4572)
    
      - The framework does not verify that a specified
        cryptographic algorithm is allowed by the
        WS-SecurityPolicy AlgorithmSuite definition before
        decrypting.  This can allow remote attackers to force
        the system to use weaker cryptographic algorithms than
        intended and makes it easier to decrypt communications.
        (CVE-2012-5575)
    
      - A flaw in PicketBox can allow local users to obtain the
        admin encryption key by reading the Vault data file.
        (CVE-2013-1921)
    
      - A session fixation flaw was found in the
        FormAuthenticator module. (CVE-2013-2067)
    
      - A flaw that occurs when a JGroups channel was started
        results in the JGroups diagnostics service being enabled
        by default with no authentication via IP multicast. A
        remote attacker can make use of this flaw to read
        diagnostics information. (CVE-2013-2102)
    
      - A flaw in the StAX parser implementation can allow
        remote attackers to cause a denial of service via
        crafted XML. (CVE-2013-2160)
    
      - A flaw in Apache Santuario XML Security can allow
        context-dependent attackers to spoof an XML Signature
        by using the CanonicalizationMethod parameter to
        specify an arbitrary weak algorithm. (CVE-2013-2172)
    
      - A flaw in JGroup's DiagnosticsHandler can allow remote
        attackers to obtain sensitive information and execute
        arbitrary code by re-using valid credentials.
        (CVE-2013-4112)
    
      - A flaw in the manner in which authenticated connections
        were cached on the server by remote-naming can allow
        remote attackers to hijack sessions by using a remoting
        client. (CVE-2013-4128)
    
      - A flaw in the manner in which connections for EJB
        invocations were cached on the server can allow remote
        attackers to hijack sessions by using an EJB client.
        (CVE-2013-4213)");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=868202");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=872059");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=880443");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=883636");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=948106");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=961779");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=963984");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=983489");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=984795");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=985359");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=999263");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4431.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4529.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4572.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-5575.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-1921.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2067.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2102.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2160.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2172.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4112.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4128.html");
      script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4213.html");
    
      script_set_attribute(attribute:"solution", value:
    "Upgrade the installed JBoss Portal 6.0.0 to 6.1.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/10/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_portal_platform:6.1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl", "jboss_detect.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # We are only interested in Red Hat systems
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    
    info = "";
    jboss = 0;
    installs = get_kb_list_or_exit("Host/JBoss/Portal Platform");
    if(!isnull(installs)) jboss = 1;
    
    foreach install (make_list(installs))
    {
      match = eregmatch(string:install, pattern:"([^:]+):(.*)");
    
      if (!isnull(match))
      {
        ver = match[1];
        path = match[2];
    
        if (ver =~ "^6.0.0([^0-9]|$)")
        {
          info += '\n' + '  Path    : ' + path+ '\n';
          info += '  Version : ' + ver + '\n';
        }
      }
    }
    
    # Report what we found.
    if (info)
    {
      set_kb_item(name:"www/0/XSRF", value:TRUE);
      if (report_verbosity > 0)
      {
        if (max_index(split(info)) > 3) s = 's of JBoss Enterprise Portal Platform are';
        else s = ' of JBoss Enterprise Portal Platform is';
    
        report =
          '\n' +
          'The following instance'+s+' out of date and\nshould be upgraded to 6.1.0 or later :\n' +
          info;
    
        security_hole(port:0, extra:report);
      }
      else security_hole(port:0);
    }
    else if ( (!info) && (jboss) )
    {
      exit(0, "The JBoss Enterprise Portal Platform version installed is not affected.");
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-1151.NASL
    descriptionUpdated Red Hat JBoss Enterprise Application Platform 6.1.0 packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A flaw was discovered in the way authenticated connections were cached on the server by remote-naming. After a user has successfully logged in, a remote attacker could use a remoting client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4128) A flaw was discovered in the way connections for remote EJB invocations via the EJB client API were cached on the server. After a user has successfully logged in, a remote attacker could use an EJB client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4213) These issues were discovered by Wolf-Dieter Fink of the Red Hat GSS Team. Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id69315
    published2013-08-13
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/69315
    titleRHEL 5 / 6 : JBoss EAP (RHSA-2013:1151)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2013:1151. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(69315);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/24 15:35:37");
    
      script_cve_id("CVE-2013-4128", "CVE-2013-4213");
      script_bugtraq_id(61739, 61742);
      script_xref(name:"RHSA", value:"2013:1151");
    
      script_name(english:"RHEL 5 / 6 : JBoss EAP (RHSA-2013:1151)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated Red Hat JBoss Enterprise Application Platform 6.1.0 packages
    that fix two security issues are now available for Red Hat Enterprise
    Linux 5 and 6.
    
    The Red Hat Security Response Team has rated this update as having
    important security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
    applications based on JBoss Application Server 7.
    
    A flaw was discovered in the way authenticated connections were cached
    on the server by remote-naming. After a user has successfully logged
    in, a remote attacker could use a remoting client to log in as that
    user without knowing their password, allowing them to access data and
    perform actions with the privileges of that user. (CVE-2013-4128)
    
    A flaw was discovered in the way connections for remote EJB
    invocations via the EJB client API were cached on the server. After a
    user has successfully logged in, a remote attacker could use an EJB
    client to log in as that user without knowing their password, allowing
    them to access data and perform actions with the privileges of that
    user. (CVE-2013-4213)
    
    These issues were discovered by Wolf-Dieter Fink of the Red Hat GSS
    Team.
    
    Warning: Before applying this update, back up your existing Red Hat
    JBoss Enterprise Application Platform installation and deployed
    applications.
    
    All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on
    Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these
    updated packages. The JBoss server process must be restarted for the
    update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2013:1151"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2013-4128"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2013-4213"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected jboss-as-client-all, jboss-ejb-client and / or
    jboss-remote-naming packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/08/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2013:1151";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL5", rpm:"jboss-as-client-all-") || rpm_exists(release:"RHEL6", rpm:"jboss-as-client-all-"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP");
    
      if (rpm_check(release:"RHEL5", reference:"jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el5")) flag++;
      if (rpm_check(release:"RHEL5", reference:"jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el5")) flag++;
      if (rpm_check(release:"RHEL5", reference:"jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el5")) flag++;
    
      if (rpm_check(release:"RHEL6", reference:"jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jboss-as-client-all / jboss-ejb-client / jboss-remote-naming");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-1152.NASL
    descriptionThe version of JBoss Enterprise Application Platform running on the remote system is vulnerable to the following issues: - A flaw in the way authenticated connections are cached on the server by remote-naming could allow a remote attacker to log in as another user without knowing their password. (CVE-2013-4128) - A flaw in the way connections for remote EJB invocations via the EJB client API are cached on the server could allow a remote attacker to use an EJB client to log in as another user without knowing their password. (CVE-2013-4213)
    last seen2019-10-28
    modified2014-02-03
    plugin id72261
    published2014-02-03
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72261
    titleRed Hat JBoss Enterprise Application Platform 6.1.0 Security Update (RHSA-2013:1152)

Redhat

advisories
  • rhsa
    idRHSA-2013:1151
  • rhsa
    idRHSA-2013:1152
  • rhsa
    idRHSA-2013:1437
rpms
  • jboss-as-client-all-0:7.2.0-9.Final_redhat_9.ep6.el5
  • jboss-as-client-all-0:7.2.0-9.Final_redhat_9.ep6.el6
  • jboss-ejb-client-0:1.0.21-2.Final_redhat_2.ep6.el5
  • jboss-ejb-client-0:1.0.21-2.Final_redhat_2.ep6.el6
  • jboss-remote-naming-0:1.0.6-3.Final_redhat_3.ep6.el5
  • jboss-remote-naming-0:1.0.6-3.Final_redhat_3.ep6.el6