Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2013-2165
Vulnerability from cvelistv5
Published
2013-07-22 19:00
Modified
2024-08-06 15:27
Severity ?
EPSS score ?
Summary
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:41.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#38787103",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN38787103/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"name": "RHSA-2013:1045",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1045.html"
},
{
"name": "RHSA-2013:1041",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1041.html"
},
{
"name": "RHSA-2013:1043",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1043.html"
},
{
"name": "RHSA-2013:1044",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1044.html"
},
{
"name": "JVNDB-2013-000072",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072"
},
{
"name": "RHSA-2013:1042",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1042.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"
},
{
"name": "20200313 RichFaces exploitation toolkit",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-14T00:06:03",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "JVN#38787103",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN38787103/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"name": "RHSA-2013:1045",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1045.html"
},
{
"name": "RHSA-2013:1041",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1041.html"
},
{
"name": "RHSA-2013:1043",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1043.html"
},
{
"name": "RHSA-2013:1044",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1044.html"
},
{
"name": "JVNDB-2013-000072",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072"
},
{
"name": "RHSA-2013:1042",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1042.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"
},
{
"name": "20200313 RichFaces exploitation toolkit",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2165",
"datePublished": "2013-07-22T19:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:27:41.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2013-2165\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-07-23T11:03:11.980\",\"lastModified\":\"2024-11-21T01:51:10.207\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.\"},{\"lang\":\"es\",\"value\":\"ResourceBuilderImpl.java en la implementaci\u00f3n de RichFaces 3.x a 5.x en la implementaci\u00f3n de Red Hat JBoss Web Framework Kit anterior a 2.3.0, Red Hat JBoss Web Platform a 5.2.0, Red Hat JBoss Enterprise Application Platform a 4.3.0 CP10 y 5.x a la 5.2.0, Red Hat JBoss BRMS hasta la 5.3.1, Red Hat JBoss SOA Platform hasta la 4.3.0 CP05 y 5.x hasta la 5.3.1, Red Hat JBoss Portal hasta la 4.3 CP07 y 5.x hasta 5.2.2, y Red Hat JBoss Operations Network hasta 2.4.2 y 3.x hasta la 3.1.2, no restringe las clases para la deserializaci\u00f3n de los m\u00e9todos que pueden ser invocados, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de datos serializados.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E82B2AD8-967D-4ABE-982B-87B9DE73F8D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10:*:*:*:*:*:*\",\"matchCriteriaId\":\"424C0428-6E78-42B2-B77A-921116528D06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5D7F1AD-4BD3-4C37-B6B5-B287464B2EEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"76D8FCD1-55D5-4187-87DD-39904EDE2EF8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"972C5C87-E982-44A5-866D-FDEACB5203B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C13890AE-5FDE-4698-8A2E-1B2FA0A313AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A785F07-9B76-4153-B676-29C9682B2F73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46849C8D-36E9-4E97-BB49-E04F4EB199E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9CDC2527-97FE-409D-8DD6-78E085CC73C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"41B77A70-95E1-4333-90E4-8056389EEE92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1BB18D40-E8EA-4EB7-A25D-15CE6B65E21F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E911B601-2A14-4C23-81FF-689DBDB79626\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DECC247-477B-4AB3-9FD4-B7B6726A728D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C70B67DF-8122-40D6-9301-B1DD31D71F55\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6B1CE36-5131-425D-90BD-FC597F27B3E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp03:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F570DE3-8759-44F9-B515-71889139A443\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp04:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5FED015-A1E5-4CDC-9E99-97FA0ED2454D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp05:*:*:*:*:*:*\",\"matchCriteriaId\":\"D20B3197-3BB8-427B-8B92-D53B200A235A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp06:*:*:*:*:*:*\",\"matchCriteriaId\":\"A87344DF-9FA8-40B6-98B2-A43FB86BBB6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9C9C8B4-693E-4777-BC31-5933147DFC54\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3221242F-802E-418B-BC9D-CFA200D99171\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5472541F-ED83-4656-AE18-1642F571D294\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97165B18-1078-4215-94DA-0B6C4228056E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A62117F2-5513-4998-8FDC-64564BBD00EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D66D2843-0273-4A3A-A9D1-48BBB15031B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6572BFDD-0A35-48CC-99A1-2BDE27BABB62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CDEABE3E-DC3E-4B98-8433-4308BBEE6F26\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01:*:*:*:*:*:*\",\"matchCriteriaId\":\"70942A41-9089-4313-8B00-5CB92518A349\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02:*:*:*:*:*:*\",\"matchCriteriaId\":\"093F7EA4-B190-49A5-AF55-42D4F960EEFE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03:*:*:*:*:*:*\",\"matchCriteriaId\":\"75CBF063-6986-4217-BC8E-661B5167AB2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F6528B6-1147-4366-8F81-8B380903EAA6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EF1898E-1A25-442B-865F-1C27B9E5F0D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02:*:*:*:*:*:*\",\"matchCriteriaId\":\"92953D9C-8FF0-4499-A4A4-3B05696D326E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C57B8004-AF15-4F0F-B9FA-A3CFF7BD42DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01:*:*:*:*:*:*\",\"matchCriteriaId\":\"66F4FC45-CF67-44E4-96CA-31B537151C7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7CF5F63-C7A8-4787-9620-F5B76A9F0F3E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BCA6581-3C94-4B1B-B30F-E0B854A68968\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04:*:*:*:*:*:*\",\"matchCriteriaId\":\"23F0650B-C39D-4C7D-8BB9-BBA951BA8AAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05:*:*:*:*:*:*\",\"matchCriteriaId\":\"67BD448A-745D-4387-ABC8-A18DF142574D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFB8FED0-E0C6-409C-A2D8-B3999265D545\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFC497FD-503A-463B-A75E-9C4B9B716521\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8F224EE-A5A1-490B-91A5-0196B4168F32\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B72D56E-DE3C-4383-906D-F3DCD9D09CC9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55661526-BC23-4853-BF6C-E1899D747EC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"118B3D27-8BF7-48ED-9D22-564B7D515610\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CD4700B-4C95-426E-ADF6-D165BB3E6F85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"93B87581-F441-4A93-B797-337B7572CC08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC20F443-4918-46D2-8251-1C8F072B7733\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F20B8708-8EC6-4B0E-9693-131F91A4FC15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C534793-58E0-45B9-84D7-D21E1C4C9F7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"38F66D5B-F906-437E-977E-F9F930648886\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC1625FD-302E-457E-BDD1-977DE614CB47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D29DC3CE-E782-47F7-BDF4-4AB63728F05B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF4A10F6-2128-4986-8A28-BD9B679D8380\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B720DED-23EE-4830-9C8B-441A38DAE80E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FD44168-A91A-4043-8C34-7A20DC2C1A19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66926B59-4A4F-47B9-9B2B-3D8DC698BC97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D72DFB62-EEA6-4126-9DC3-B191CC8D0CA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8DBE132-2A98-40C6-947F-50C1D06DDFB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"18EB42B1-D507-4B48-B835-C87AC5CC3650\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:2.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"376C608B-645D-4560-8A7E-4154DCFD2B1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C077D692-150C-4AE9-8C0B-7A3EA5EB1100\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5DE5BA7D-BEFA-474C-BBD3-4C22F1283182\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EFFA4B2-1562-48E0-A598-3C1F8973FDF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"495496C9-8CFE-431D-84EB-1C94B7C74E82\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F57B34F5-66CD-4051-8406-54709C39572F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_framework_kit:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.0\",\"matchCriteriaId\":\"E43C0ED7-47AA-474B-B1E8-D5358EA40A41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_framework_kit:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"69A1DC5C-28D4-4C03-9B4D-EB474714B530\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_framework_kit:1.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0043DABE-2CF1-46FA-BC11-058EF8800D37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_framework_kit:1.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6EA16184-345B-47C0-B5C2-2FC47E7BCD87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_framework_kit:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"910ABBBA-7FAC-4512-801C-3FDB5D7584D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_framework_kit:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30B541A7-C0DC-4650-9C58-22E4FB14C213\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7714AE54-6EA9-4FF0-995A-EAE7C9EC90A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF339098-BFB5-4795-84D0-1D4E3CA291C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E1D36E4-44D9-4BCB-A5BB-6F9411A1EF02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E459D64B-4427-45D4-9AD8-27322D472AA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BECB4A09-BF7E-4314-9DFA-FB093FD1035F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA0C4149-1B58-44B4-8A4C-694EC46357B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"597510CA-20F6-4BFB-B674-BA2E54510D70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E67C14B-9CAB-401F-9B8E-367DABC8B403\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.2.0:sr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC999E61-A1E7-434F-89C5-D65150FFD3C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FDDF3150-DB24-45B5-8AE4-E1389BFC7D9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C460B1D-6C7D-40B8-8F23-192CCEB68948\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A03D84C-BB68-4564-97F7-8CD326D86B4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E2B5531-406B-47EA-A61F-2D3DD07E5BE9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D2FE027-BF63-4EC9-B743-C7A805A65FCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.3.2:sr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"66F0B040-84E3-44B4-ACE4-0BC9366C064E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:3.3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD902B25-B15E-463E-8DF0-7DD0889A2B00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E27F9EFE-D7CA-46A0-99B2-F4FDE622A9CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4A438EF-E450-49DE-B745-3F8034C715DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7201416F-1CAC-431E-93A8-74FBB708CC53\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E9C9F20-702E-4943-9AE9-D419BFFFBC45\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E7B1BC4-71B6-4F46-927F-E537A1688CD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"730FB8DB-5116-4BF2-9348-F280ACF3D197\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B82F2B98-5B8B-4BA0-912C-0C6C6B5393DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"986311E6-C44C-4DFF-A74B-1501DFB9B5A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:4.5.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D6E0C8B-8901-47F9-A96E-645BE5037666\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:richfaces:5.0.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8DA147D3-F295-4DBD-87AD-40C7F9B00C8F\"}]}]}],\"references\":[{\"url\":\"http://jvn.jp/en/jp/JVN38787103/index.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1041.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1042.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1043.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1044.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1045.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Mar/21\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2013-2165\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=973570\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"http://jvn.jp/en/jp/JVN38787103/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1041.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1042.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1044.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Mar/21\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2013-2165\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=973570\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}],\"evaluatorComment\":\"Per: http://www.bleathem.ca/blog/2013/07/richfaces-CVE-2013-2165.html\\n\\n\\\"Download RichFaces 3.3.4.Final or RichFaces 4.3.3.Final and use them in your applications to protect yourself from this vulnerability.\\\"\"}}"
}
}
rhsa-2013:1044
Vulnerability from csaf_redhat
Published
2013-07-11 00:13
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: jboss-seam2 security update
Notes
Topic
Updated jboss-seam2 packages that fix one security issue are now available
for Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat
Enterprise Linux 4 and 5.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
The JBoss Seam 2 framework is an application framework for building web
applications in Java. The RichFaces component is an open source framework
that adds Ajax capability into existing JavaServer Faces (JSF)
applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).
All users of Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 on
Red Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated jboss-seam2 packages that fix one security issue are now available\nfor Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat\nEnterprise Linux 4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The JBoss Seam 2 framework is an application framework for building web\napplications in Java. The RichFaces component is an open source framework\nthat adds Ajax capability into existing JavaServer Faces (JSF)\napplications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 on\nRed Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to take\neffect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1044",
"url": "https://access.redhat.com/errata/RHSA-2013:1044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1044.json"
}
],
"title": "Red Hat Security Advisory: jboss-seam2 security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:56+00:00",
"generator": {
"date": "2024-11-22T06:42:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1044",
"initial_release_date": "2013-07-11T00:13:00+00:00",
"revision_history": [
{
"date": "2013-07-11T00:13:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-11T00:17:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el4?arch=src"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_id": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2-docs@2.0.2.FP_SEC1-1.ep2.6.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_id": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2-docs@2.0.2.FP_SEC1-1.ep2.6.el5?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-11T00:13:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1044"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013_1045
Vulnerability from csaf_redhat
Published
2013-07-11 00:14
Modified
2024-11-22 06:43
Summary
Red Hat Security Advisory: RichFaces security update
Notes
Topic
An update for the RichFaces component that fixes one security issue is now
available from the Red Hat Customer Portal for Red Hat JBoss Enterprise
Application Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform
5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and
5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss
Operations Network 2.4.2 and 3.1.2.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing installation,
including all applications, configuration files, databases and database
settings, and so on. For Red Hat JBoss Operations Network, also back up
the Red Hat JBoss Operations Network server's file system directory.
All users of the affected products as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the RichFaces component that fixes one security issue is now\navailable from the Red Hat Customer Portal for Red Hat JBoss Enterprise\nApplication Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform\n5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and\n5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss\nOperations Network 2.4.2 and 3.1.2.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing installation,\nincluding all applications, configuration files, databases and database\nsettings, and so on. For Red Hat JBoss Operations Network, also back up\nthe Red Hat JBoss Operations Network server\u0027s file system directory.\n\nAll users of the affected products as provided from the Red Hat Customer\nPortal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1045",
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/",
"url": "https://access.redhat.com/site/documentation/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1045.json"
}
],
"title": "Red Hat Security Advisory: RichFaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:43:00+00:00",
"generator": {
"date": "2024-11-22T06:43:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1045",
"initial_release_date": "2013-07-11T00:14:00+00:00",
"revision_history": [
{
"date": "2013-07-11T00:14:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-11T00:16:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:43:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_id": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:update10"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "JBoss Enterprise BRMS Platform 5.3",
"product": {
"name": "JBoss Enterprise BRMS Platform 5.3",
"product_id": "JBoss Enterprise BRMS Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 4.3",
"product": {
"name": "Red Hat JBoss Portal 4.3",
"product_id": "Red Hat JBoss Portal 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:4.3.0:update7"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 4.3",
"product": {
"name": "Red Hat JBoss SOA Platform 4.3",
"product_id": "Red Hat JBoss SOA Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:update5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5.2",
"product": {
"name": "Red Hat JBoss Web Platform 5.2",
"product_id": "Red Hat JBoss Web Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 2.4",
"product": {
"name": "Red Hat JBoss Operations Network 2.4",
"product_id": "Red Hat JBoss Operations Network 2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:2.4.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 3.1",
"product": {
"name": "Red Hat JBoss Operations Network 3.1",
"product_id": "Red Hat JBoss Operations Network 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:3.1.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-11T00:14:00+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on. For Red Hat JBoss Operations\nNetwork, also back up the Red Hat JBoss Operations Network server\u0027s file\nsystem directory.\n\nFor Red Hat JBoss BRMS, Red Hat JBoss SOA Platform, and Red Hat JBoss\nPortal, it is recommended to halt the server by stopping the JBoss\nApplication Server process before installing this update, and then after\ninstalling the update, restart the server by starting the JBoss Application\nServer process.\n\nRefer to the Red Hat JBoss Operations Network Release Notes for\ninstallation information.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
RHSA-2013:1043
Vulnerability from csaf_redhat
Published
2013-07-10 23:54
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: richfaces security update
Notes
Topic
Updated richfaces packages that fix one security issue are now available
for Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5,
and 6.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Web Platform installation (including all applications and configuration
files).
All users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux
4, 5, and 6 are advised to upgrade to these updated packages. The JBoss
server process must be restarted for the update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated richfaces packages that fix one security issue are now available\nfor Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5,\nand 6.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nWeb Platform installation (including all applications and configuration\nfiles).\n\nAll users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux\n4, 5, and 6 are advised to upgrade to these updated packages. The JBoss\nserver process must be restarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1043",
"url": "https://access.redhat.com/errata/RHSA-2013:1043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1043.json"
}
],
"title": "Red Hat Security Advisory: richfaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:51+00:00",
"generator": {
"date": "2024-11-22T06:42:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1043",
"initial_release_date": "2013-07-10T23:54:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:55:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"known_not_affected": [
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1043"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013_1044
Vulnerability from csaf_redhat
Published
2013-07-11 00:13
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: jboss-seam2 security update
Notes
Topic
Updated jboss-seam2 packages that fix one security issue are now available
for Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat
Enterprise Linux 4 and 5.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
The JBoss Seam 2 framework is an application framework for building web
applications in Java. The RichFaces component is an open source framework
that adds Ajax capability into existing JavaServer Faces (JSF)
applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).
All users of Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 on
Red Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated jboss-seam2 packages that fix one security issue are now available\nfor Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat\nEnterprise Linux 4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The JBoss Seam 2 framework is an application framework for building web\napplications in Java. The RichFaces component is an open source framework\nthat adds Ajax capability into existing JavaServer Faces (JSF)\napplications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 on\nRed Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to take\neffect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1044",
"url": "https://access.redhat.com/errata/RHSA-2013:1044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1044.json"
}
],
"title": "Red Hat Security Advisory: jboss-seam2 security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:56+00:00",
"generator": {
"date": "2024-11-22T06:42:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1044",
"initial_release_date": "2013-07-11T00:13:00+00:00",
"revision_history": [
{
"date": "2013-07-11T00:13:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-11T00:17:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el4?arch=src"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_id": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2-docs@2.0.2.FP_SEC1-1.ep2.6.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_id": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2-docs@2.0.2.FP_SEC1-1.ep2.6.el5?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-11T00:13:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1044"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013:1042
Vulnerability from csaf_redhat
Published
2013-07-10 23:54
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: richfaces security update
Notes
Topic
Updated richfaces packages that fix one security issue are now available
for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat
Enterprise Linux 4, 5, and 6.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).
All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated richfaces packages that fix one security issue are now available\nfor Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat\nEnterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat\nEnterprise Linux 4, 5, and 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to take\neffect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1042",
"url": "https://access.redhat.com/errata/RHSA-2013:1042"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1042.json"
}
],
"title": "Red Hat Security Advisory: richfaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:46+00:00",
"generator": {
"date": "2024-11-22T06:42:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1042",
"initial_release_date": "2013-07-10T23:54:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:55:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1042"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
RHSA-2013:1044
Vulnerability from csaf_redhat
Published
2013-07-11 00:13
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: jboss-seam2 security update
Notes
Topic
Updated jboss-seam2 packages that fix one security issue are now available
for Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat
Enterprise Linux 4 and 5.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
The JBoss Seam 2 framework is an application framework for building web
applications in Java. The RichFaces component is an open source framework
that adds Ajax capability into existing JavaServer Faces (JSF)
applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).
All users of Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 on
Red Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated jboss-seam2 packages that fix one security issue are now available\nfor Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 for Red Hat\nEnterprise Linux 4 and 5.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The JBoss Seam 2 framework is an application framework for building web\napplications in Java. The RichFaces component is an open source framework\nthat adds Ajax capability into existing JavaServer Faces (JSF)\napplications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of Red Hat JBoss Enterprise Application Platform 4.3.0 CP10 on\nRed Hat Enterprise Linux 4 and 5 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to take\neffect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1044",
"url": "https://access.redhat.com/errata/RHSA-2013:1044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1044.json"
}
],
"title": "Red Hat Security Advisory: jboss-seam2 security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:56+00:00",
"generator": {
"date": "2024-11-22T06:42:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1044",
"initial_release_date": "2013-07-11T00:13:00+00:00",
"revision_history": [
{
"date": "2013-07-11T00:13:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-11T00:17:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el4?arch=src"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_id": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2-docs@2.0.2.FP_SEC1-1.ep2.6.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_id": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2@2.0.2.FP_SEC1-1.ep2.6.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_id": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jboss-seam2-docs@2.0.2.FP_SEC1-1.ep2.6.el5?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS",
"product_id": "4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES",
"product_id": "4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src"
},
"product_reference": "jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server",
"product_id": "5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
},
"product_reference": "jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-4.3.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-11T00:13:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1044"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4AS-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4AS-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"4ES-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el4.src",
"4ES-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el4.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch",
"5Server-JBEAP-4.3.0:jboss-seam2-0:2.0.2.FP_SEC1-1.ep2.6.el5.src",
"5Server-JBEAP-4.3.0:jboss-seam2-docs-0:2.0.2.FP_SEC1-1.ep2.6.el5.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
RHSA-2013:1042
Vulnerability from csaf_redhat
Published
2013-07-10 23:54
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: richfaces security update
Notes
Topic
Updated richfaces packages that fix one security issue are now available
for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat
Enterprise Linux 4, 5, and 6.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).
All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated richfaces packages that fix one security issue are now available\nfor Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat\nEnterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat\nEnterprise Linux 4, 5, and 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to take\neffect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1042",
"url": "https://access.redhat.com/errata/RHSA-2013:1042"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1042.json"
}
],
"title": "Red Hat Security Advisory: richfaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:46+00:00",
"generator": {
"date": "2024-11-22T06:42:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1042",
"initial_release_date": "2013-07-10T23:54:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:55:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1042"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013:1041
Vulnerability from csaf_redhat
Published
2013-07-10 23:36
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.3.0 update
Notes
Topic
Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Red Hat JBoss Web Framework Kit combines popular open source web frameworks
into a single solution for Java applications.
This release serves as a replacement for Red Hat JBoss Web Framework Kit
2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0
Release Notes for information on the most significant of these changes,
available shortly from https://access.redhat.com/site/documentation/
This release also fixes the following security issue:
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing installation of
Red Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server,
and applications deployed to it.
All users of Red Hat JBoss Web Framework Kit 2.2.0 as provided from the Red
Hat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework
Kit 2.3.0.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications.\n\nThis release serves as a replacement for Red Hat JBoss Web Framework Kit\n2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0\nRelease Notes for information on the most significant of these changes,\navailable shortly from https://access.redhat.com/site/documentation/\n\nThis release also fixes the following security issue:\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing installation of\nRed Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server,\nand applications deployed to it.\n\nAll users of Red Hat JBoss Web Framework Kit 2.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework\nKit 2.3.0.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1041",
"url": "https://access.redhat.com/errata/RHSA-2013:1041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/",
"url": "https://access.redhat.com/site/documentation/"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1041.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.3.0 update",
"tracking": {
"current_release_date": "2024-11-22T06:42:41+00:00",
"generator": {
"date": "2024-11-22T06:42:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1041",
"initial_release_date": "2013-07-10T23:36:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:36:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:44:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Framework Kit 2.3",
"product": {
"name": "Red Hat JBoss Web Framework Kit 2.3",
"product_id": "Red Hat JBoss Web Framework Kit 2.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.3.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Framework Kit"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Web Framework Kit 2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:36:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Enterprise Application Platform or\nRed Hat JBoss Web Server, and applications deployed to it.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"Red Hat JBoss Web Framework Kit 2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Web Framework Kit 2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013_1042
Vulnerability from csaf_redhat
Published
2013-07-10 23:54
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: richfaces security update
Notes
Topic
Updated richfaces packages that fix one security issue are now available
for Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat
Enterprise Linux 4, 5, and 6.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation (including all applications
and configuration files).
All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated richfaces packages that fix one security issue are now available\nfor Red Hat JBoss Enterprise Application Platform 5.2.0 for Red Hat\nEnterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation (including all applications\nand configuration files).\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat\nEnterprise Linux 4, 5, and 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to take\neffect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1042",
"url": "https://access.redhat.com/errata/RHSA-2013:1042"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1042.json"
}
],
"title": "Red Hat Security Advisory: richfaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:46+00:00",
"generator": {
"date": "2024-11-22T06:42:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1042",
"initial_release_date": "2013-07-10T23:54:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:55:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1042"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEAP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEAP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEAP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEAP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEAP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEAP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013_1043
Vulnerability from csaf_redhat
Published
2013-07-10 23:54
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: richfaces security update
Notes
Topic
Updated richfaces packages that fix one security issue are now available
for Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5,
and 6.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Web Platform installation (including all applications and configuration
files).
All users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux
4, 5, and 6 are advised to upgrade to these updated packages. The JBoss
server process must be restarted for the update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated richfaces packages that fix one security issue are now available\nfor Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5,\nand 6.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nWeb Platform installation (including all applications and configuration\nfiles).\n\nAll users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux\n4, 5, and 6 are advised to upgrade to these updated packages. The JBoss\nserver process must be restarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1043",
"url": "https://access.redhat.com/errata/RHSA-2013:1043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1043.json"
}
],
"title": "Red Hat Security Advisory: richfaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:51+00:00",
"generator": {
"date": "2024-11-22T06:42:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1043",
"initial_release_date": "2013-07-10T23:54:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:55:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"known_not_affected": [
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1043"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013:1045
Vulnerability from csaf_redhat
Published
2013-07-11 00:14
Modified
2024-11-22 06:43
Summary
Red Hat Security Advisory: RichFaces security update
Notes
Topic
An update for the RichFaces component that fixes one security issue is now
available from the Red Hat Customer Portal for Red Hat JBoss Enterprise
Application Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform
5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and
5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss
Operations Network 2.4.2 and 3.1.2.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing installation,
including all applications, configuration files, databases and database
settings, and so on. For Red Hat JBoss Operations Network, also back up
the Red Hat JBoss Operations Network server's file system directory.
All users of the affected products as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the RichFaces component that fixes one security issue is now\navailable from the Red Hat Customer Portal for Red Hat JBoss Enterprise\nApplication Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform\n5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and\n5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss\nOperations Network 2.4.2 and 3.1.2.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing installation,\nincluding all applications, configuration files, databases and database\nsettings, and so on. For Red Hat JBoss Operations Network, also back up\nthe Red Hat JBoss Operations Network server\u0027s file system directory.\n\nAll users of the affected products as provided from the Red Hat Customer\nPortal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1045",
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/",
"url": "https://access.redhat.com/site/documentation/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1045.json"
}
],
"title": "Red Hat Security Advisory: RichFaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:43:00+00:00",
"generator": {
"date": "2024-11-22T06:43:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1045",
"initial_release_date": "2013-07-11T00:14:00+00:00",
"revision_history": [
{
"date": "2013-07-11T00:14:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-11T00:16:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:43:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_id": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:update10"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "JBoss Enterprise BRMS Platform 5.3",
"product": {
"name": "JBoss Enterprise BRMS Platform 5.3",
"product_id": "JBoss Enterprise BRMS Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 4.3",
"product": {
"name": "Red Hat JBoss Portal 4.3",
"product_id": "Red Hat JBoss Portal 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:4.3.0:update7"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 4.3",
"product": {
"name": "Red Hat JBoss SOA Platform 4.3",
"product_id": "Red Hat JBoss SOA Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:update5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5.2",
"product": {
"name": "Red Hat JBoss Web Platform 5.2",
"product_id": "Red Hat JBoss Web Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 2.4",
"product": {
"name": "Red Hat JBoss Operations Network 2.4",
"product_id": "Red Hat JBoss Operations Network 2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:2.4.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 3.1",
"product": {
"name": "Red Hat JBoss Operations Network 3.1",
"product_id": "Red Hat JBoss Operations Network 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:3.1.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-11T00:14:00+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on. For Red Hat JBoss Operations\nNetwork, also back up the Red Hat JBoss Operations Network server\u0027s file\nsystem directory.\n\nFor Red Hat JBoss BRMS, Red Hat JBoss SOA Platform, and Red Hat JBoss\nPortal, it is recommended to halt the server by stopping the JBoss\nApplication Server process before installing this update, and then after\ninstalling the update, restart the server by starting the JBoss Application\nServer process.\n\nRefer to the Red Hat JBoss Operations Network Release Notes for\ninstallation information.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
RHSA-2013:1041
Vulnerability from csaf_redhat
Published
2013-07-10 23:36
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.3.0 update
Notes
Topic
Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Red Hat JBoss Web Framework Kit combines popular open source web frameworks
into a single solution for Java applications.
This release serves as a replacement for Red Hat JBoss Web Framework Kit
2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0
Release Notes for information on the most significant of these changes,
available shortly from https://access.redhat.com/site/documentation/
This release also fixes the following security issue:
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing installation of
Red Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server,
and applications deployed to it.
All users of Red Hat JBoss Web Framework Kit 2.2.0 as provided from the Red
Hat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework
Kit 2.3.0.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications.\n\nThis release serves as a replacement for Red Hat JBoss Web Framework Kit\n2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0\nRelease Notes for information on the most significant of these changes,\navailable shortly from https://access.redhat.com/site/documentation/\n\nThis release also fixes the following security issue:\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing installation of\nRed Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server,\nand applications deployed to it.\n\nAll users of Red Hat JBoss Web Framework Kit 2.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework\nKit 2.3.0.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1041",
"url": "https://access.redhat.com/errata/RHSA-2013:1041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/",
"url": "https://access.redhat.com/site/documentation/"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1041.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.3.0 update",
"tracking": {
"current_release_date": "2024-11-22T06:42:41+00:00",
"generator": {
"date": "2024-11-22T06:42:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1041",
"initial_release_date": "2013-07-10T23:36:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:36:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:44:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Framework Kit 2.3",
"product": {
"name": "Red Hat JBoss Web Framework Kit 2.3",
"product_id": "Red Hat JBoss Web Framework Kit 2.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.3.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Framework Kit"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Web Framework Kit 2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:36:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Enterprise Application Platform or\nRed Hat JBoss Web Server, and applications deployed to it.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"Red Hat JBoss Web Framework Kit 2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Web Framework Kit 2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013_1041
Vulnerability from csaf_redhat
Published
2013-07-10 23:36
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.3.0 update
Notes
Topic
Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Red Hat JBoss Web Framework Kit combines popular open source web frameworks
into a single solution for Java applications.
This release serves as a replacement for Red Hat JBoss Web Framework Kit
2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0
Release Notes for information on the most significant of these changes,
available shortly from https://access.redhat.com/site/documentation/
This release also fixes the following security issue:
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing installation of
Red Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server,
and applications deployed to it.
All users of Red Hat JBoss Web Framework Kit 2.2.0 as provided from the Red
Hat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework
Kit 2.3.0.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Web Framework Kit 2.3.0, which fixes one security issue,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications.\n\nThis release serves as a replacement for Red Hat JBoss Web Framework Kit\n2.2.0, and includes bug fixes and enhancements. Refer to the 2.3.0\nRelease Notes for information on the most significant of these changes,\navailable shortly from https://access.redhat.com/site/documentation/\n\nThis release also fixes the following security issue:\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing installation of\nRed Hat JBoss Enterprise Application Platform or Red Hat JBoss Web Server,\nand applications deployed to it.\n\nAll users of Red Hat JBoss Web Framework Kit 2.2.0 as provided from the Red\nHat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework\nKit 2.3.0.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1041",
"url": "https://access.redhat.com/errata/RHSA-2013:1041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/",
"url": "https://access.redhat.com/site/documentation/"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1041.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.3.0 update",
"tracking": {
"current_release_date": "2024-11-22T06:42:41+00:00",
"generator": {
"date": "2024-11-22T06:42:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1041",
"initial_release_date": "2013-07-10T23:36:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:36:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:44:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Framework Kit 2.3",
"product": {
"name": "Red Hat JBoss Web Framework Kit 2.3",
"product_id": "Red Hat JBoss Web Framework Kit 2.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.3.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Framework Kit"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Web Framework Kit 2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:36:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Enterprise Application Platform or\nRed Hat JBoss Web Server, and applications deployed to it.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"Red Hat JBoss Web Framework Kit 2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Web Framework Kit 2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
rhsa-2013:1043
Vulnerability from csaf_redhat
Published
2013-07-10 23:54
Modified
2024-11-22 06:42
Summary
Red Hat Security Advisory: richfaces security update
Notes
Topic
Updated richfaces packages that fix one security issue are now available
for Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5,
and 6.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing Red Hat JBoss
Web Platform installation (including all applications and configuration
files).
All users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux
4, 5, and 6 are advised to upgrade to these updated packages. The JBoss
server process must be restarted for the update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated richfaces packages that fix one security issue are now available\nfor Red Hat JBoss Web Platform 5.2.0 for Red Hat Enterprise Linux 4, 5,\nand 6.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nWeb Platform installation (including all applications and configuration\nfiles).\n\nAll users of Red Hat JBoss Web Platform 5.2.0 on Red Hat Enterprise Linux\n4, 5, and 6 are advised to upgrade to these updated packages. The JBoss\nserver process must be restarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1043",
"url": "https://access.redhat.com/errata/RHSA-2013:1043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1043.json"
}
],
"title": "Red Hat Security Advisory: richfaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:42:51+00:00",
"generator": {
"date": "2024-11-22T06:42:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1043",
"initial_release_date": "2013-07-10T23:54:00+00:00",
"revision_history": [
{
"date": "2013-07-10T23:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-10T23:55:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:42:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_id": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-6.SP3_patch_01.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-framework@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-root@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-ui@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_id": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces-demo@3.3.1-11.SP3_patch_01.ep5.el4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_id": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-3.SP3_patch_01.ep5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_id": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-6.SP3_patch_01.ep5.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_id": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/richfaces@3.3.1-11.SP3_patch_01.ep5.el4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src"
},
"product_reference": "richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src"
},
"product_reference": "richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src"
},
"product_reference": "richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
},
"product_reference": "richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEWP-5"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"known_not_affected": [
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4AS-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4AS-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-0:3.3.1-11.SP3_patch_01.ep5.el4.src",
"4ES-JBEWP-5:richfaces-demo-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-framework-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-root-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch",
"4ES-JBEWP-5:richfaces-ui-0:3.3.1-11.SP3_patch_01.ep5.el4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-10T23:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1043"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-0:3.3.1-6.SP3_patch_01.ep5.el5.src",
"5Server-JBEWP-5:richfaces-demo-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-framework-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-root-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"5Server-JBEWP-5:richfaces-ui-0:3.3.1-6.SP3_patch_01.ep5.el5.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-0:3.3.1-3.SP3_patch_01.ep5.el6.src",
"6Server-JBEWP-5:richfaces-demo-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-framework-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-root-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch",
"6Server-JBEWP-5:richfaces-ui-0:3.3.1-3.SP3_patch_01.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
RHSA-2013:1045
Vulnerability from csaf_redhat
Published
2013-07-11 00:14
Modified
2024-11-22 06:43
Summary
Red Hat Security Advisory: RichFaces security update
Notes
Topic
An update for the RichFaces component that fixes one security issue is now
available from the Red Hat Customer Portal for Red Hat JBoss Enterprise
Application Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform
5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and
5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss
Operations Network 2.4.2 and 3.1.2.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing installation,
including all applications, configuration files, databases and database
settings, and so on. For Red Hat JBoss Operations Network, also back up
the Red Hat JBoss Operations Network server's file system directory.
All users of the affected products as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the RichFaces component that fixes one security issue is now\navailable from the Red Hat Customer Portal for Red Hat JBoss Enterprise\nApplication Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform\n5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and\n5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss\nOperations Network 2.4.2 and 3.1.2.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing installation,\nincluding all applications, configuration files, databases and database\nsettings, and so on. For Red Hat JBoss Operations Network, also back up\nthe Red Hat JBoss Operations Network server\u0027s file system directory.\n\nAll users of the affected products as provided from the Red Hat Customer\nPortal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1045",
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/",
"url": "https://access.redhat.com/site/documentation/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1045.json"
}
],
"title": "Red Hat Security Advisory: RichFaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:43:00+00:00",
"generator": {
"date": "2024-11-22T06:43:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1045",
"initial_release_date": "2013-07-11T00:14:00+00:00",
"revision_history": [
{
"date": "2013-07-11T00:14:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-11T00:16:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:43:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_id": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:update10"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "JBoss Enterprise BRMS Platform 5.3",
"product": {
"name": "JBoss Enterprise BRMS Platform 5.3",
"product_id": "JBoss Enterprise BRMS Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 4.3",
"product": {
"name": "Red Hat JBoss Portal 4.3",
"product_id": "Red Hat JBoss Portal 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:4.3.0:update7"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 4.3",
"product": {
"name": "Red Hat JBoss SOA Platform 4.3",
"product_id": "Red Hat JBoss SOA Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:update5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5.2",
"product": {
"name": "Red Hat JBoss Web Platform 5.2",
"product_id": "Red Hat JBoss Web Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 2.4",
"product": {
"name": "Red Hat JBoss Operations Network 2.4",
"product_id": "Red Hat JBoss Operations Network 2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:2.4.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 3.1",
"product": {
"name": "Red Hat JBoss Operations Network 3.1",
"product_id": "Red Hat JBoss Operations Network 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:3.1.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-11T00:14:00+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on. For Red Hat JBoss Operations\nNetwork, also back up the Red Hat JBoss Operations Network server\u0027s file\nsystem directory.\n\nFor Red Hat JBoss BRMS, Red Hat JBoss SOA Platform, and Red Hat JBoss\nPortal, it is recommended to halt the server by stopping the JBoss\nApplication Server process before installing this update, and then after\ninstalling the update, restart the server by starting the JBoss Application\nServer process.\n\nRefer to the Red Hat JBoss Operations Network Release Notes for\ninstallation information.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
fkie_cve-2013-2165
Vulnerability from fkie_nvd
Published
2013-07-23 11:03
Modified
2024-11-21 01:51
Severity ?
Summary
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E82B2AD8-967D-4ABE-982B-87B9DE73F8D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10:*:*:*:*:*:*",
"matchCriteriaId": "424C0428-6E78-42B2-B77A-921116528D06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D7F1AD-4BD3-4C37-B6B5-B287464B2EEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "76D8FCD1-55D5-4187-87DD-39904EDE2EF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "972C5C87-E982-44A5-866D-FDEACB5203B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C13890AE-5FDE-4698-8A2E-1B2FA0A313AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8A785F07-9B76-4153-B676-29C9682B2F73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46849C8D-36E9-4E97-BB49-E04F4EB199E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9CDC2527-97FE-409D-8DD6-78E085CC73C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "41B77A70-95E1-4333-90E4-8056389EEE92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1BB18D40-E8EA-4EB7-A25D-15CE6B65E21F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E911B601-2A14-4C23-81FF-689DBDB79626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4DECC247-477B-4AB3-9FD4-B7B6726A728D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C70B67DF-8122-40D6-9301-B1DD31D71F55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A6B1CE36-5131-425D-90BD-FC597F27B3E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp03:*:*:*:*:*:*",
"matchCriteriaId": "8F570DE3-8759-44F9-B515-71889139A443",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp04:*:*:*:*:*:*",
"matchCriteriaId": "B5FED015-A1E5-4CDC-9E99-97FA0ED2454D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp05:*:*:*:*:*:*",
"matchCriteriaId": "D20B3197-3BB8-427B-8B92-D53B200A235A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp06:*:*:*:*:*:*",
"matchCriteriaId": "A87344DF-9FA8-40B6-98B2-A43FB86BBB6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07:*:*:*:*:*:*",
"matchCriteriaId": "C9C9C8B4-693E-4777-BC31-5933147DFC54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3221242F-802E-418B-BC9D-CFA200D99171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5472541F-ED83-4656-AE18-1642F571D294",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "97165B18-1078-4215-94DA-0B6C4228056E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A62117F2-5513-4998-8FDC-64564BBD00EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D66D2843-0273-4A3A-A9D1-48BBB15031B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6572BFDD-0A35-48CC-99A1-2BDE27BABB62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CDEABE3E-DC3E-4B98-8433-4308BBEE6F26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01:*:*:*:*:*:*",
"matchCriteriaId": "70942A41-9089-4313-8B00-5CB92518A349",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02:*:*:*:*:*:*",
"matchCriteriaId": "093F7EA4-B190-49A5-AF55-42D4F960EEFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03:*:*:*:*:*:*",
"matchCriteriaId": "75CBF063-6986-4217-BC8E-661B5167AB2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04:*:*:*:*:*:*",
"matchCriteriaId": "3F6528B6-1147-4366-8F81-8B380903EAA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05:*:*:*:*:*:*",
"matchCriteriaId": "4EF1898E-1A25-442B-865F-1C27B9E5F0D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02:*:*:*:*:*:*",
"matchCriteriaId": "92953D9C-8FF0-4499-A4A4-3B05696D326E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C57B8004-AF15-4F0F-B9FA-A3CFF7BD42DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01:*:*:*:*:*:*",
"matchCriteriaId": "66F4FC45-CF67-44E4-96CA-31B537151C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02:*:*:*:*:*:*",
"matchCriteriaId": "E7CF5F63-C7A8-4787-9620-F5B76A9F0F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03:*:*:*:*:*:*",
"matchCriteriaId": "9BCA6581-3C94-4B1B-B30F-E0B854A68968",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04:*:*:*:*:*:*",
"matchCriteriaId": "23F0650B-C39D-4C7D-8BB9-BBA951BA8AAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05:*:*:*:*:*:*",
"matchCriteriaId": "67BD448A-745D-4387-ABC8-A18DF142574D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DFB8FED0-E0C6-409C-A2D8-B3999265D545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DFC497FD-503A-463B-A75E-9C4B9B716521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8F224EE-A5A1-490B-91A5-0196B4168F32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B72D56E-DE3C-4383-906D-F3DCD9D09CC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55661526-BC23-4853-BF6C-E1899D747EC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "118B3D27-8BF7-48ED-9D22-564B7D515610",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2CD4700B-4C95-426E-ADF6-D165BB3E6F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "93B87581-F441-4A93-B797-337B7572CC08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DC20F443-4918-46D2-8251-1C8F072B7733",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F20B8708-8EC6-4B0E-9693-131F91A4FC15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4C534793-58E0-45B9-84D7-D21E1C4C9F7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "38F66D5B-F906-437E-977E-F9F930648886",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DC1625FD-302E-457E-BDD1-977DE614CB47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D29DC3CE-E782-47F7-BDF4-4AB63728F05B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DF4A10F6-2128-4986-8A28-BD9B679D8380",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B720DED-23EE-4830-9C8B-441A38DAE80E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0FD44168-A91A-4043-8C34-7A20DC2C1A19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "66926B59-4A4F-47B9-9B2B-3D8DC698BC97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D72DFB62-EEA6-4126-9DC3-B191CC8D0CA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DBE132-2A98-40C6-947F-50C1D06DDFB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18EB42B1-D507-4B48-B835-C87AC5CC3650",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "376C608B-645D-4560-8A7E-4154DCFD2B1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C077D692-150C-4AE9-8C0B-7A3EA5EB1100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5DE5BA7D-BEFA-474C-BBD3-4C22F1283182",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4EFFA4B2-1562-48E0-A598-3C1F8973FDF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "495496C9-8CFE-431D-84EB-1C94B7C74E82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F57B34F5-66CD-4051-8406-54709C39572F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_web_framework_kit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E43C0ED7-47AA-474B-B1E8-D5358EA40A41",
"versionEndIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_web_framework_kit:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A1DC5C-28D4-4C03-9B4D-EB474714B530",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_web_framework_kit:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0043DABE-2CF1-46FA-BC11-058EF8800D37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_web_framework_kit:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6EA16184-345B-47C0-B5C2-2FC47E7BCD87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_web_framework_kit:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "910ABBBA-7FAC-4512-801C-3FDB5D7584D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_web_framework_kit:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "30B541A7-C0DC-4650-9C58-22E4FB14C213",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7714AE54-6EA9-4FF0-995A-EAE7C9EC90A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF339098-BFB5-4795-84D0-1D4E3CA291C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E1D36E4-44D9-4BCB-A5BB-6F9411A1EF02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E459D64B-4427-45D4-9AD8-27322D472AA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BECB4A09-BF7E-4314-9DFA-FB093FD1035F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FA0C4149-1B58-44B4-8A4C-694EC46357B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "597510CA-20F6-4BFB-B674-BA2E54510D70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5E67C14B-9CAB-401F-9B8E-367DABC8B403",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.2.0:sr1:*:*:*:*:*:*",
"matchCriteriaId": "CC999E61-A1E7-434F-89C5-D65150FFD3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FDDF3150-DB24-45B5-8AE4-E1389BFC7D9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0C460B1D-6C7D-40B8-8F23-192CCEB68948",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6A03D84C-BB68-4564-97F7-8CD326D86B4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7E2B5531-406B-47EA-A61F-2D3DD07E5BE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8D2FE027-BF63-4EC9-B743-C7A805A65FCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.3.2:sr1:*:*:*:*:*:*",
"matchCriteriaId": "66F0B040-84E3-44B4-ACE4-0BC9366C064E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FD902B25-B15E-463E-8DF0-7DD0889A2B00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E27F9EFE-D7CA-46A0-99B2-F4FDE622A9CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B4A438EF-E450-49DE-B745-3F8034C715DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7201416F-1CAC-431E-93A8-74FBB708CC53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E9C9F20-702E-4943-9AE9-D419BFFFBC45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8E7B1BC4-71B6-4F46-927F-E537A1688CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "730FB8DB-5116-4BF2-9348-F280ACF3D197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B82F2B98-5B8B-4BA0-912C-0C6C6B5393DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "986311E6-C44C-4DFF-A74B-1501DFB9B5A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:4.5.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "4D6E0C8B-8901-47F9-A96E-645BE5037666",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:richfaces:5.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "8DA147D3-F295-4DBD-87AD-40C7F9B00C8F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data."
},
{
"lang": "es",
"value": "ResourceBuilderImpl.java en la implementaci\u00f3n de RichFaces 3.x a 5.x en la implementaci\u00f3n de Red Hat JBoss Web Framework Kit anterior a 2.3.0, Red Hat JBoss Web Platform a 5.2.0, Red Hat JBoss Enterprise Application Platform a 4.3.0 CP10 y 5.x a la 5.2.0, Red Hat JBoss BRMS hasta la 5.3.1, Red Hat JBoss SOA Platform hasta la 4.3.0 CP05 y 5.x hasta la 5.3.1, Red Hat JBoss Portal hasta la 4.3 CP07 y 5.x hasta 5.2.2, y Red Hat JBoss Operations Network hasta 2.4.2 y 3.x hasta la 3.1.2, no restringe las clases para la deserializaci\u00f3n de los m\u00e9todos que pueden ser invocados, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de datos serializados."
}
],
"evaluatorComment": "Per: http://www.bleathem.ca/blog/2013/07/richfaces-CVE-2013-2165.html\n\n\"Download RichFaces 3.3.4.Final or RichFaces 4.3.3.Final and use them in your applications to protect yourself from this vulnerability.\"",
"id": "CVE-2013-2165",
"lastModified": "2024-11-21T01:51:10.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-07-23T11:03:11.980",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN38787103/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1041.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1042.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1043.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1044.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1045.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN38787103/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1041.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1042.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1043.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1045.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
ghsa-4344-frcp-j22q
Vulnerability from github
Published
2022-05-13 01:27
Modified
2022-11-03 22:44
Summary
Remote code execution due to insecure deserialization
Details
A flaw was found in the way JBoss RichFaces handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.richfaces:richfaces"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.richfaces:richfaces"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-2165"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2022-11-03T22:44:02Z",
"nvd_published_at": "2013-07-23T11:03:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in the way JBoss RichFaces handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.",
"id": "GHSA-4344-frcp-j22q",
"modified": "2022-11-03T22:44:02Z",
"published": "2022-05-13T01:27:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN38787103/index.html"
},
{
"type": "WEB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Remote code execution due to insecure deserialization"
}
cve-2013-2165
Vulnerability from jvndb
Published
2013-07-19 12:32
Modified
2013-07-24 16:16
Summary
JBoss RichFaces vulnerable to remote code execution
Details
JBoss RichFaces contains a remote code execution vulnerability due to an issue with deserialization.
JBoss RichFaces is a framework for integrating Ajax into web applications. JBoss RichFaces applications contain a deserialization interface where end users may provide input. This interface may deserialize untrusted data, which may lead to arbitrary code execution.
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000072.html",
"dc:date": "2013-07-24T16:16+09:00",
"dcterms:issued": "2013-07-19T12:32+09:00",
"dcterms:modified": "2013-07-24T16:16+09:00",
"description": "JBoss RichFaces contains a remote code execution vulnerability due to an issue with deserialization.\r\n\r\nJBoss RichFaces is a framework for integrating Ajax into web applications. JBoss RichFaces applications contain a deserialization interface where end users may provide input. This interface may deserialize untrusted data, which may lead to arbitrary code execution. \r\n\r\nTakeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000072.html",
"sec:cpe": [
{
"#text": "cpe:/a:redhat:jboss_enterprise_application_platform",
"@product": "JBoss Enterprise Application Platform",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:redhat:jboss_enterprise_brms_platform",
"@product": "Red Hat JBoss BRMS",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:redhat:jboss_enterprise_soa_platform",
"@product": "Red Hat JBoss SOA Platform",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:redhat:jboss_enterprise_web_platform",
"@product": "JBoss Enterprise Web Platform",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:redhat:jboss_operations_network",
"@product": "Red Hat JBoss Operations Network",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:redhat:jboss_portal",
"@product": "Red Hat JBoss Portal",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:redhat:jboss_web_framework_kit",
"@product": "JBoss Web Framework Kit",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:redhat:richfaces",
"@product": "JBoss RichFaces",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2013-000072",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN38787103/index.html",
"@id": "JVN#38787103",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2165",
"@id": "CVE-2013-2165",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2165",
"@id": "CVE-2013-2165",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/security/ciadr/vul/20130719-jvn.html",
"@id": "Security Updates Available for JBoss RichFaces (JVN#38787103)",
"@source": "IPA SECURITY ALERTS"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "JBoss RichFaces vulnerable to remote code execution"
}
gsd-2013-2165
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-2165",
"description": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"id": "GSD-2013-2165",
"references": [
"https://access.redhat.com/errata/RHSA-2013:1045",
"https://access.redhat.com/errata/RHSA-2013:1044",
"https://access.redhat.com/errata/RHSA-2013:1043",
"https://access.redhat.com/errata/RHSA-2013:1042",
"https://access.redhat.com/errata/RHSA-2013:1041",
"https://packetstormsecurity.com/files/cve/CVE-2013-2165"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2013-2165"
],
"details": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"id": "GSD-2013-2165",
"modified": "2023-12-13T01:22:17.028640Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://jvn.jp/en/jp/JVN38787103/index.html",
"refsource": "MISC",
"url": "http://jvn.jp/en/jp/JVN38787103/index.html"
},
{
"name": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072",
"refsource": "MISC",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072"
},
{
"name": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1041.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1041.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1042.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1042.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1043.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1043.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1044.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1044.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-1045.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1045.html"
},
{
"name": "http://seclists.org/fulldisclosure/2020/Mar/21",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
},
{
"name": "https://access.redhat.com/security/cve/CVE-2013-2165",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=973570",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[3,3.3.3.FINAL]",
"affected_versions": "All versions starting from 3 up to 3.3.3.FINAL",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2017-06-12",
"description": "`ResourceBuilderImpl.java` does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"fixed_versions": [
"3.3.4.FINAL"
],
"identifier": "CVE-2013-2165",
"identifiers": [
"CVE-2013-2165"
],
"not_impacted": "All versions before 3, all versions after 3.3.3.FINAL",
"package_slug": "maven/org.richfaces.ui/richfaces-ui",
"pubdate": "2013-07-23",
"solution": "Upgrade to version 3.3.4.FINAL or above.",
"title": "Deserialization of Untrusted Data",
"urls": [],
"uuid": "ea7ad997-8689-4ed9-a944-e5ffd299c18e"
},
{
"affected_range": "[3.1.0,3.3.3),[4.0.0,4.3.2)",
"affected_versions": "All versions starting from 3.1.0 before 3.3.3, all versions starting from 4.0.0 before 4.3.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2022-11-03",
"description": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"fixed_versions": [
"3.3.3",
"4.3.2"
],
"identifier": "CVE-2013-2165",
"identifiers": [
"GHSA-4344-frcp-j22q",
"CVE-2013-2165"
],
"not_impacted": "All versions before 3.1.0, all versions starting from 3.3.3 before 4.0.0, all versions starting from 4.3.2",
"package_slug": "maven/org.richfaces/richfaces",
"pubdate": "2022-05-13",
"solution": "Upgrade to versions 3.3.3, 4.3.2 or above.",
"title": "Remote code execution due to insecure deserialization",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"https://access.redhat.com/security/cve/CVE-2013-2165",
"https://bugzilla.redhat.com/show_bug.cgi?id=973570",
"http://jvn.jp/en/jp/JVN38787103/index.html",
"http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072",
"http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html",
"http://seclists.org/fulldisclosure/2020/Mar/21",
"https://github.com/advisories/GHSA-4344-frcp-j22q"
],
"uuid": "eddc5761-a68f-4738-8d60-e3a80c67612f"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.5.0:alpha1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp03:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_web_framework_kit:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:5.0.0:alpha1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_web_framework_kit:1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp06:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_web_framework_kit:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_web_framework_kit:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.3.2:sr1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_web_framework_kit:1.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.2.0:sr1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp05:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_operations_network:2.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_web_framework_kit:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:richfaces:4.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp04:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2165"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/security/cve/CVE-2013-2165",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"name": "JVNDB-2013-000072",
"refsource": "JVNDB",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072"
},
{
"name": "JVN#38787103",
"refsource": "JVN",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN38787103/index.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=973570",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"name": "RHSA-2013:1042",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1042.html"
},
{
"name": "RHSA-2013:1044",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1044.html"
},
{
"name": "RHSA-2013:1041",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1041.html"
},
{
"name": "RHSA-2013:1045",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1045.html"
},
{
"name": "RHSA-2013:1043",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1043.html"
},
{
"name": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html",
"refsource": "MISC",
"tags": [],
"url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"
},
{
"name": "20200313 RichFaces exploitation toolkit",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:28Z",
"publishedDate": "2013-07-23T11:03Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.