Multiple vulnerabilities in JBoss Enterprise Application Platform
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2014-3464 CVE-2014-3472 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
JBoss Enterprise Application Platform Server applications / Application servers |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU41391
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-3464
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.
MitigationInstall update from vendor's website.
Vulnerable software versionsJBoss Enterprise Application Platform: 6.2.0 - 6.3.0
CPE2.3- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*
https://rhn.redhat.com/errata/RHSA-2014-1019.html
https://rhn.redhat.com/errata/RHSA-2014-1020.html
https://rhn.redhat.com/errata/RHSA-2014-1021.html
https://bugzilla.redhat.com/show_bug.cgi?id=1102317
https://exchange.xforce.ibmcloud.com/vulnerabilities/95409
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU41392
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-3472
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsJBoss Enterprise Application Platform: 6.3.0
CPE2.3 External linkshttps://rhn.redhat.com/errata/RHSA-2014-1019.html
https://rhn.redhat.com/errata/RHSA-2014-1020.html
https://rhn.redhat.com/errata/RHSA-2014-1021.html
https://rhn.redhat.com/errata/RHSA-2015-0720.html
https://www.securityfocus.com/bid/69094
https://bugzilla.redhat.com/show_bug.cgi?id=1103815
https://exchange.xforce.ibmcloud.com/vulnerabilities/95170
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
