CVE-2011-4605

Impact:
Important
Public Date:
2012-06-20
CWE:
CWE-306
Bugzilla:
766469: CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default

The MITRE CVE dictionary describes this issue as:

The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.

Find out more about CVE-2011-4605 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss SOA Platform 5.3 RHSA-2012:1125 2012-07-31
Red Hat JBoss Web Platform 5 for RHEL 5 Server RHSA-2012:1027 2012-06-20
Red Hat JBoss Enterprise Application Platform 5.1 RHSA-2012:1022 2012-06-20
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS RHSA-2012:1026 2012-06-20
Red Hat JBoss Portal 4.3 RHSA-2012:1109 2012-07-23
Red Hat JBoss Web Platform 5 for RHEL 4 AS RHSA-2012:1027 2012-06-20
JBoss Enterprise BRMS Platform 5.3 RHSA-2012:1028 2012-06-22
Red Hat JBoss Web Platform 5 for RHEL 6 Server RHSA-2012:1027 2012-06-20
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jbossas) RHSA-2012:1025 2012-06-20
Red Hat JBoss Web Platform 5.1 RHSA-2012:1023 2012-06-20
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jbossas) RHSA-2012:1025 2012-06-20
Red Hat JBoss Portal 4.3 RHSA-2012:1024 2012-06-20
Red Hat JBoss Portal 5.2 RHSA-2012:1232 2012-09-05
Red Hat JBoss SOA Platform 4.2 RHSA-2012:1295 2012-09-19
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server RHSA-2012:1026 2012-06-20
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server RHSA-2012:1026 2012-06-20

Acknowledgements

Red Hat would like to thank Christian Schlüter (VIADA) for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.