Description

The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.

Remediation

References

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469

http://rhn.redhat.com/errata/RHSA-2012-1022.html

http://rhn.redhat.com/errata/RHSA-2012-1023.html

http://rhn.redhat.com/errata/RHSA-2012-1024.html

http://rhn.redhat.com/errata/RHSA-2012-1025.html

http://rhn.redhat.com/errata/RHSA-2012-1026.html

http://rhn.redhat.com/errata/RHSA-2012-1027.html

http://rhn.redhat.com/errata/RHSA-2012-1028.html

http://rhn.redhat.com/errata/RHSA-2012-1109.html

http://rhn.redhat.com/errata/RHSA-2012-1125.html

http://rhn.redhat.com/errata/RHSA-2012-1232.html

http://rhn.redhat.com/errata/RHSA-2012-1295.html

http://secunia.com/advisories/49656

http://secunia.com/advisories/49658

http://secunia.com/advisories/50084

http://secunia.com/advisories/50549

http://www.securityfocus.com/bid/54644

http://www.securitytracker.com/id?1027501

Related Vulnerabilities

CVE-2014-0050 Vulnerability in maven package org.apache.jackrabbit:oak-run

CVE-2012-0022 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2023-6911 Vulnerability in maven package org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui

CVE-2016-6793 Vulnerability in maven package org.apache.wicket:wicket-util

CVE-2015-7559 Vulnerability in maven package org.apache.activemq:activemq-core

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory