CVE Database

CVE-2013-2165

Impact: Critical
Public: 2013-07-10
CWE: CWE-502
Bugzilla: 973570: CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization

Details

The MITRE CVE dictionary describes this issue as:

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.

Find out more about CVE-2013-2165 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 7.5
Base Metrics: AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1045 July 11, 2013
Red Hat JBoss Enterprise Application Platform 4.3 RHSA-2013:1045 July 11, 2013
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jboss-seam2) RHSA-2013:1044 July 11, 2013
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jboss-seam2) RHSA-2013:1044 July 11, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (richfaces) RHSA-2013:1042 July 10, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (richfaces) RHSA-2013:1042 July 10, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (richfaces) RHSA-2013:1042 July 10, 2013
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:1045 July 11, 2013
Red Hat JBoss Operations Network 2.4 RHSA-2013:1045 July 11, 2013
Red Hat JBoss Operations Network 3.1 RHSA-2013:1045 July 11, 2013
Red Hat JBoss Portal 4.3 RHSA-2013:1045 July 11, 2013
Red Hat JBoss Portal 5.2 RHSA-2013:1045 July 11, 2013
Red Hat JBoss SOA Platform 4.3 RHSA-2013:1045 July 11, 2013
Red Hat JBoss SOA Platform 5.3 RHSA-2013:1045 July 11, 2013
Red Hat JBoss Web Framework Kit 2.3 RHSA-2013:1041 July 10, 2013
Red Hat JBoss Web Platform 5 for RHEL 4 AS (richfaces) RHSA-2013:1043 July 10, 2013
Red Hat JBoss Web Platform 5 for RHEL 5 Server (richfaces) RHSA-2013:1043 July 10, 2013
Red Hat JBoss Web Platform 5 for RHEL 6 Server (richfaces) RHSA-2013:1043 July 10, 2013
Red Hat JBoss Web Platform 5.2 RHSA-2013:1045 July 11, 2013

External References

Acknowledgements

Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.