rhsa-2013_1045
Vulnerability from csaf_redhat
Published
2013-07-11 00:14
Modified
2024-11-22 06:43
Summary
Red Hat Security Advisory: RichFaces security update
Notes
Topic
An update for the RichFaces component that fixes one security issue is now
available from the Red Hat Customer Portal for Red Hat JBoss Enterprise
Application Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform
5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and
5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss
Operations Network 2.4.2 and 3.1.2.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RichFaces is an open source framework that adds Ajax capability into
existing JavaServer Faces (JSF) applications.
A flaw was found in the way RichFaces ResourceBuilderImpl handled
deserialization. A remote attacker could use this flaw to trigger the
execution of the deserialization methods in any serializable class deployed
on the server. This could lead to a variety of security impacts depending
on the deserialization logic of these classes. (CVE-2013-2165)
The fix for this issue introduces a whitelist to limit classes that can be
deserialized by RichFaces.
If you require to whitelist a class that is not already listed, for
example, a custom class, you can achieve this by following one of these
methods:
Method 1: Implementing the SerializableResource interface.
In RichFaces 3, this is defined at
org.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at
org.richfaces.resource.SerializableResource.
Method 2: Adding the class to the resource-serialization.properties file
(a default properties file is provided once this update is applied).
To do this you can extend the framework provided properties file that is
available under org.ajax4jsf.resource in RichFaces 3 and
org.richfaces.resource in RichFaces 4/5. The modified properties file has
to be copied into the classpath of your deployment under the
version-specific packages.
Where possible, it is recommended that Method 1 be followed.
Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure
Directions, Inc.) for reporting this issue.
Warning: Before applying this update, back up your existing installation,
including all applications, configuration files, databases and database
settings, and so on. For Red Hat JBoss Operations Network, also back up
the Red Hat JBoss Operations Network server's file system directory.
All users of the affected products as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the RichFaces component that fixes one security issue is now\navailable from the Red Hat Customer Portal for Red Hat JBoss Enterprise\nApplication Platform 4.3.0 CP10 and 5.2.0; Red Hat JBoss Web Platform\n5.2.0; Red Hat JBoss BRMS 5.3.1; Red Hat JBoss SOA Platform 4.3.0 CP05 and\n5.3.1; Red Hat JBoss Portal 4.3 CP07 and 5.2.2; and Red Hat JBoss\nOperations Network 2.4.2 and 3.1.2.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "RichFaces is an open source framework that adds Ajax capability into\nexisting JavaServer Faces (JSF) applications.\n\nA flaw was found in the way RichFaces ResourceBuilderImpl handled\ndeserialization. A remote attacker could use this flaw to trigger the\nexecution of the deserialization methods in any serializable class deployed\non the server. This could lead to a variety of security impacts depending\non the deserialization logic of these classes. (CVE-2013-2165)\n\nThe fix for this issue introduces a whitelist to limit classes that can be\ndeserialized by RichFaces.\n\nIf you require to whitelist a class that is not already listed, for\nexample, a custom class, you can achieve this by following one of these\nmethods:\n\nMethod 1: Implementing the SerializableResource interface.\nIn RichFaces 3, this is defined at\norg.ajax4jsf.resource.SerializableResource and in RichFaces 4/5, at\norg.richfaces.resource.SerializableResource.\n\nMethod 2: Adding the class to the resource-serialization.properties file\n(a default properties file is provided once this update is applied).\nTo do this you can extend the framework provided properties file that is\navailable under org.ajax4jsf.resource in RichFaces 3 and\norg.richfaces.resource in RichFaces 4/5. The modified properties file has\nto be copied into the classpath of your deployment under the\nversion-specific packages.\n\nWhere possible, it is recommended that Method 1 be followed.\n\nRed Hat would like to thank Takeshi Terada (Mitsui Bussan Secure\nDirections, Inc.) for reporting this issue.\n\nWarning: Before applying this update, back up your existing installation,\nincluding all applications, configuration files, databases and database\nsettings, and so on. For Red Hat JBoss Operations Network, also back up\nthe Red Hat JBoss Operations Network server\u0027s file system directory.\n\nAll users of the affected products as provided from the Red Hat Customer\nPortal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1045",
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/",
"url": "https://access.redhat.com/site/documentation/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform\u0026downloadType=securityPatches\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=5.3.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=soaplatform\u0026version=4.3.0.GA_CP05"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=4.3+CP07"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.1.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=2.4.2"
},
{
"category": "external",
"summary": "973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1045.json"
}
],
"title": "Red Hat Security Advisory: RichFaces security update",
"tracking": {
"current_release_date": "2024-11-22T06:43:00+00:00",
"generator": {
"date": "2024-11-22T06:43:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1045",
"initial_release_date": "2013-07-11T00:14:00+00:00",
"revision_history": [
{
"date": "2013-07-11T00:14:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-11T00:16:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:43:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_id": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:update10"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "JBoss Enterprise BRMS Platform 5.3",
"product": {
"name": "JBoss Enterprise BRMS Platform 5.3",
"product_id": "JBoss Enterprise BRMS Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 4.3",
"product": {
"name": "Red Hat JBoss Portal 4.3",
"product_id": "Red Hat JBoss Portal 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:4.3.0:update7"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 4.3",
"product": {
"name": "Red Hat JBoss SOA Platform 4.3",
"product_id": "Red Hat JBoss SOA Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3.0:update5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Platform 5.2",
"product": {
"name": "Red Hat JBoss Web Platform 5.2",
"product_id": "Red Hat JBoss Web Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 2.4",
"product": {
"name": "Red Hat JBoss Operations Network 2.4",
"product_id": "Red Hat JBoss Operations Network 2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:2.4.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 3.1",
"product": {
"name": "Red Hat JBoss Operations Network 3.1",
"product_id": "Red Hat JBoss Operations Network 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:3.1.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Takeshi Terada"
],
"organization": "Mitsui Bussan Secure Directions, Inc."
}
],
"cve": "CVE-2013-2165",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2013-06-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "973570"
}
],
"notes": [
{
"category": "description",
"text": "ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RichFaces: Remote code execution due to insecure deserialization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2165"
},
{
"category": "external",
"summary": "RHBZ#973570",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=973570"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2165",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2165"
}
],
"release_date": "2013-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-11T00:14:00+00:00",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on. For Red Hat JBoss Operations\nNetwork, also back up the Red Hat JBoss Operations Network server\u0027s file\nsystem directory.\n\nFor Red Hat JBoss BRMS, Red Hat JBoss SOA Platform, and Red Hat JBoss\nPortal, it is recommended to halt the server by stopping the JBoss\nApplication Server process before installing this update, and then after\ninstalling the update, restart the server by starting the JBoss Application\nServer process.\n\nRefer to the Red Hat JBoss Operations Network Release Notes for\ninstallation information.\n\nThe JBoss server process must be restarted for this update to take effect.",
"product_ids": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1045"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"JBoss Enterprise BRMS Platform 5.3",
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.2",
"Red Hat JBoss Operations Network 2.4",
"Red Hat JBoss Operations Network 3.1",
"Red Hat JBoss Portal 4.3",
"Red Hat JBoss Portal 5.2",
"Red Hat JBoss SOA Platform 4.3",
"Red Hat JBoss SOA Platform 5.3",
"Red Hat JBoss Web Platform 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "RichFaces: Remote code execution due to insecure deserialization"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.