CVE-2014-3558
It was discovered that the implementation of org.hibernate.validator.util.ReflectionHelper together with the permissions required to run Hibernate Validator under the Java Security Manager could allow a malicious application deployed in the same application container to execute several actions with escalated privileges, which might otherwise not be possible. This flaw could be used to perform various attacks, including but not restricted to, arbitrary code execution in systems that are otherwise secured by the Java Security Manager.
Find out more about CVE-2014-3558 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 3.3 |
|---|---|
| Base Metrics | AV:L/AC:M/Au:N/C:P/I:P/A:N |
| Access Vector | Local |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss BPMS 6.0 | RHSA-2015:0234 | 2015-02-17 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2014:1285 | 2014-09-23 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2014:1286 | 2014-09-23 |
| Red Hat JBoss Web Framework Kit 2.7 | RHSA-2015:0125 | 2015-02-04 |
| Red Hat JBoss Enterprise Application Platform 6.3 | RHSA-2014:1288 | 2014-09-23 |
| Red Hat JBoss Fuse Service Works 6.0 | RHSA-2015:0720 | 2015-03-24 |
| Red Hat JBoss BRMS 6.0 | RHSA-2015:0235 | 2015-02-17 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2014:1287 | 2014-09-23 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | hibernate3 | Not affected |
| Red Hat Satellite 6 | hibernate-validator | Fix deferred |
| Red Hat Satellite 5.6 | hibernate3 | Not affected |
| Red Hat JBoss Portal Platform 6 | hibernate-validator | Will not fix |
| Red Hat JBoss Portal 5 | hibernate-validator | Will not fix |
| Red Hat JBoss Operations Network 3 | hibernate-validator | Fix deferred |
| Red Hat JBoss Enterprise SOA Platform 5 | hibernate-validator | Will not fix |
| Red Hat JBoss EWS 2 | hibernate-validator | Not affected |
| Red Hat JBoss EWS 2 | hibernate3 | Not affected |
| Red Hat JBoss EWS 1 | hibernate3 | Not affected |
| Red Hat JBoss EAP 5 | hibernate-validator | Will not fix |
| Red Hat JBoss EAP 5 | hibernate3 | Not affected |
| Red Hat JBoss Data Virtualization 6 | hibernate-validator | Fix deferred |
| Red Hat JBoss Data Grid 6 | hibernate-validator | Fix deferred |
| Red Hat JBoss BRMS 5 | hibernate-validator | Will not fix |
| RHEV Manager 3 | rhevm-dependencies | Fix deferred |