CVE-2015-0297

Impact:
Critical
Public Date:
2015-04-14
CWE:
CWE-306
Bugzilla:
1198008: CVE-2015-0297 RHQ: ServerInvokerServlet remote code exec
It was discovered that the JBoss Operations Network server did not correctly restrict access to certain remote APIs. A remote, unauthenticated attacker could use this flaw to execute arbitrary Java methods via ServerInvokerServlet or SchedulerService, and possibly exhaust all available disk space via ContentManager.

Find out more about CVE-2015-0297 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Operations Network 3.3 RHSA-2015:0862 2015-04-21

Affected Packages State

Platform Package State
Red Hat Jboss Operations Network 3 Security Affected

Acknowledgements

Red Hat would like to thank Alessandro Cavaliere for reporting this issue.

Mitigation

Last Modified