CVE-2014-3518

jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2014-0887.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:::::::*

History

No history.

Information

Published : 2014-07-22 20:55

Updated : 2024-02-28 12:20

NVD link : CVE-2014-3518

Mitre link : CVE-2014-3518

CVE.ORG link : CVE-2014-3518

JSON object : View

Products Affected

redhat

jboss_enterprise_brms_platform
jboss_enterprise_portal_platform
jboss_enterprise_application_platform
jboss_enterprise_soa_platform

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2014-3518", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-07-22T20:55:01.843", "references": [{"url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors."}, {"lang": "es", "value": "jmx-remoting.sar en JBoss Remoting, utilizado en Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2 y Red Hat JBoss SOA Platform 5.3.1, no implementa debidamente la especificaci\u00f3n JSR 160, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados."}], "lastModified": "2014-07-23T13:14:26.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46849C8D-36E9-4E97-BB49-E04F4EB199E6"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6B1CE36-5131-425D-90BD-FC597F27B3E4"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93B87581-F441-4A93-B797-337B7572CC08"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}