Vulnerabilities > CVE-2013-4213 - Improper Access Control vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1437.NASL description The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users last seen 2020-06-01 modified 2020-06-02 plugin id 72237 published 2014-01-31 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72237 title JBoss Portal 6.1.0 Update (RHSA-2013:1437) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72237); script_version("1.8"); script_cvs_date("Date: 2019/10/24 15:35:37"); script_cve_id( "CVE-2012-4431", "CVE-2012-4529", "CVE-2012-4572", "CVE-2012-5575", "CVE-2013-1921", "CVE-2013-2067", "CVE-2013-2102", "CVE-2013-2160", "CVE-2013-2172", "CVE-2013-4112", "CVE-2013-4128", "CVE-2013-4213" ); script_bugtraq_id( 56814, 59799, 60040, 60043, 60045, 60846, 61030, 61179, 61739, 61742, 62256, 63196 ); script_xref(name:"RHSA", value:"2013:1437"); script_name(english:"JBoss Portal 6.1.0 Update (RHSA-2013:1437)"); script_summary(english:"Checks for the install versions of JBoss Portal"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing a security update."); script_set_attribute(attribute:"description", value: "The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users' sessions. (CVE-2012-4529) - A flaw that occurs when multiple applications use the same custom authorization module class name can allow a local attacker to deploy a malicious application that overrides the custom authorization modules provided by other applications. (CVE-2012-4572) - The framework does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting. This can allow remote attackers to force the system to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications. (CVE-2012-5575) - A flaw in PicketBox can allow local users to obtain the admin encryption key by reading the Vault data file. (CVE-2013-1921) - A session fixation flaw was found in the FormAuthenticator module. (CVE-2013-2067) - A flaw that occurs when a JGroups channel was started results in the JGroups diagnostics service being enabled by default with no authentication via IP multicast. A remote attacker can make use of this flaw to read diagnostics information. (CVE-2013-2102) - A flaw in the StAX parser implementation can allow remote attackers to cause a denial of service via crafted XML. (CVE-2013-2160) - A flaw in Apache Santuario XML Security can allow context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak algorithm. (CVE-2013-2172) - A flaw in JGroup's DiagnosticsHandler can allow remote attackers to obtain sensitive information and execute arbitrary code by re-using valid credentials. (CVE-2013-4112) - A flaw in the manner in which authenticated connections were cached on the server by remote-naming can allow remote attackers to hijack sessions by using a remoting client. (CVE-2013-4128) - A flaw in the manner in which connections for EJB invocations were cached on the server can allow remote attackers to hijack sessions by using an EJB client. (CVE-2013-4213)"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=868202"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=872059"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=880443"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=883636"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=948106"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=961779"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=963984"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=983489"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=984795"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=985359"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=999263"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4431.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4529.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4572.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-5575.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-1921.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2067.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2102.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2160.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2172.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4112.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4128.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4213.html"); script_set_attribute(attribute:"solution", value: "Upgrade the installed JBoss Portal 6.0.0 to 6.1.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/10"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_portal_platform:6.1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "jboss_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # We are only interested in Red Hat systems if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); info = ""; jboss = 0; installs = get_kb_list_or_exit("Host/JBoss/Portal Platform"); if(!isnull(installs)) jboss = 1; foreach install (make_list(installs)) { match = eregmatch(string:install, pattern:"([^:]+):(.*)"); if (!isnull(match)) { ver = match[1]; path = match[2]; if (ver =~ "^6.0.0([^0-9]|$)") { info += '\n' + ' Path : ' + path+ '\n'; info += ' Version : ' + ver + '\n'; } } } # Report what we found. if (info) { set_kb_item(name:"www/0/XSRF", value:TRUE); if (report_verbosity > 0) { if (max_index(split(info)) > 3) s = 's of JBoss Enterprise Portal Platform are'; else s = ' of JBoss Enterprise Portal Platform is'; report = '\n' + 'The following instance'+s+' out of date and\nshould be upgraded to 6.1.0 or later :\n' + info; security_hole(port:0, extra:report); } else security_hole(port:0); } else if ( (!info) && (jboss) ) { exit(0, "The JBoss Enterprise Portal Platform version installed is not affected."); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1151.NASL description Updated Red Hat JBoss Enterprise Application Platform 6.1.0 packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A flaw was discovered in the way authenticated connections were cached on the server by remote-naming. After a user has successfully logged in, a remote attacker could use a remoting client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4128) A flaw was discovered in the way connections for remote EJB invocations via the EJB client API were cached on the server. After a user has successfully logged in, a remote attacker could use an EJB client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4213) These issues were discovered by Wolf-Dieter Fink of the Red Hat GSS Team. Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 69315 published 2013-08-13 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69315 title RHEL 5 / 6 : JBoss EAP (RHSA-2013:1151) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:1151. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(69315); script_version("1.15"); script_cvs_date("Date: 2019/10/24 15:35:37"); script_cve_id("CVE-2013-4128", "CVE-2013-4213"); script_bugtraq_id(61739, 61742); script_xref(name:"RHSA", value:"2013:1151"); script_name(english:"RHEL 5 / 6 : JBoss EAP (RHSA-2013:1151)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated Red Hat JBoss Enterprise Application Platform 6.1.0 packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A flaw was discovered in the way authenticated connections were cached on the server by remote-naming. After a user has successfully logged in, a remote attacker could use a remoting client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4128) A flaw was discovered in the way connections for remote EJB invocations via the EJB client API were cached on the server. After a user has successfully logged in, a remote attacker could use an EJB client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4213) These issues were discovered by Wolf-Dieter Fink of the Red Hat GSS Team. Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:1151" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-4128" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-4213" ); script_set_attribute( attribute:"solution", value: "Update the affected jboss-as-client-all, jboss-ejb-client and / or jboss-remote-naming packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/16"); script_set_attribute(attribute:"patch_publication_date", value:"2013/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:1151"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL5", rpm:"jboss-as-client-all-") || rpm_exists(release:"RHEL6", rpm:"jboss-as-client-all-"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL5", reference:"jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el5")) flag++; if (rpm_check(release:"RHEL6", reference:"jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jboss-as-client-all / jboss-ejb-client / jboss-remote-naming"); } }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1152.NASL description The version of JBoss Enterprise Application Platform running on the remote system is vulnerable to the following issues: - A flaw in the way authenticated connections are cached on the server by remote-naming could allow a remote attacker to log in as another user without knowing their password. (CVE-2013-4128) - A flaw in the way connections for remote EJB invocations via the EJB client API are cached on the server could allow a remote attacker to use an EJB client to log in as another user without knowing their password. (CVE-2013-4213) last seen 2019-10-28 modified 2014-02-03 plugin id 72261 published 2014-02-03 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72261 title Red Hat JBoss Enterprise Application Platform 6.1.0 Security Update (RHSA-2013:1152)
Redhat
advisories |
| ||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | CVE ID:CVE-2013-4213 JBOSS是一个基于J2EE的开放源代码的应用服务器 JBoss Enterprise Application Platform在通过EJB客户端API处理相关远程EJB调用连接的服务器缓存时存在一个缺陷,远程攻击者可利用EJB客户端绕过验证,以其他用户账户上下文登录,并访问数据和执行操作 0 JBoss Enterprise Application Platform 6.1.0 厂商解决方案 用户可参考如下厂商提供的安全公告获得补丁信息: http://rhn.redhat.com/errata/RHSA-2013-1151.html http://rhn.redhat.com/errata/RHSA-2013-1152.html |
id | SSV:60976 |
last seen | 2017-11-19 |
modified | 2013-08-27 |
published | 2013-08-27 |
reporter | Root |
title | JBoss Enterprise Application Platform远程EJB调用连接缓存处理验证绕过漏洞 |
References
- http://osvdb.org/96216
- http://rhn.redhat.com/errata/RHSA-2013-1151.html
- http://rhn.redhat.com/errata/RHSA-2013-1152.html
- http://rhn.redhat.com/errata/RHSA-2013-1437.html
- http://secunia.com/advisories/54508
- http://www.securitytracker.com/id/1028898
- https://bugzilla.redhat.com/show_bug.cgi?id=985359
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86387