CVE Reference: CVE-2012-0874

NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2012-0874

Description:
The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.

CVE Status:
Candidate

References:

XF
  http://xforce.iss.net/xforce/xfdb/81511

ST
  1028042

SAID
  Secunia Advisory: SA51984
  Secunia Advisory: SA52054

REDHAT
  http://rhn.redhat.com/errata/RHSA-2013-0221.html
  http://rhn.redhat.com/errata/RHSA-2013-0198.html
  http://rhn.redhat.com/errata/RHSA-2013-0197.html
  http://rhn.redhat.com/errata/RHSA-2013-0196.html
  http://rhn.redhat.com/errata/RHSA-2013-0195.html
  http://rhn.redhat.com/errata/RHSA-2013-0194.html
  http://rhn.redhat.com/errata/RHSA-2013-0193.html
  http://rhn.redhat.com/errata/RHSA-2013-0192.html
  http://rhn.redhat.com/errata/RHSA-2013-0191.html
  http://rhn.redhat.com/errata/RHSA-2013-0533.html

MISC

EXPLOIT-DB
  http://www.exploit-db.com/exploits/30211

BUGTRAQ
  http://archives.neohapsis.com/archives/bugtraq/2013-12/0134.html

BID
  57552


Return to the previous page.