Red Hat Customer Portal

Skip to main content

CVE-2013-2165

Impact:
Critical
Public Date:
2013-07-10
CWE:
CWE-502
Bugzilla:
973570: CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization

The MITRE CVE dictionary describes this issue as:

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.

Find out more about CVE-2013-2165 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Framework Kit 2.3 RHSA-2013:1041 2013-07-10
Red Hat JBoss Enterprise Application Platform 4.3 RHSA-2013:1045 2013-07-11
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (richfaces) RHSA-2013:1042 2013-07-10
Red Hat JBoss Web Platform 5 for RHEL 5 Server (richfaces) RHSA-2013:1043 2013-07-10
Red Hat JBoss Web Platform 5.2 RHSA-2013:1045 2013-07-11
Red Hat JBoss Operations Network 2.4 RHSA-2013:1045 2013-07-11
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (richfaces) RHSA-2013:1042 2013-07-10
Red Hat JBoss Portal 4.3 RHSA-2013:1045 2013-07-11
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jboss-seam2) RHSA-2013:1044 2013-07-11
Red Hat JBoss Web Platform 5 for RHEL 4 AS (richfaces) RHSA-2013:1043 2013-07-10
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (richfaces) RHSA-2013:1042 2013-07-10
Red Hat JBoss SOA Platform 4.3 RHSA-2013:1045 2013-07-11
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:1045 2013-07-11
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jboss-seam2) RHSA-2013:1044 2013-07-11
Red Hat JBoss SOA Platform 5.3 RHSA-2013:1045 2013-07-11
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1045 2013-07-11
Red Hat JBoss Portal 5.2 RHSA-2013:1045 2013-07-11
Red Hat JBoss Web Platform 5 for RHEL 6 Server (richfaces) RHSA-2013:1043 2013-07-10
Red Hat JBoss Operations Network 3.1 RHSA-2013:1045 2013-07-11

Acknowledgements

Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue.

Last Modified