PT-2010-5017 · Red Hat · Jboss Drools+2

Marc Schoenefeld

Published

2010-12-30

Updated

2022-05-17

CVE-2010-3708

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Red Hat JBoss Enterprise Application Platform versions 4.3 before 4.3.0.CP09 Red Hat JBoss Enterprise SOA Platform versions 4.2 and 4.3

Description The serialization implementation in JBoss Drools supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.

Recommendations For Red Hat JBoss Enterprise Application Platform versions 4.3 before 4.3.0.CP09, apply the fix from Drools 4.0.7 to patch the vulnerability. For Red Hat JBoss Enterprise SOA Platform versions 4.2 and 4.3, apply the fix from Drools 4.0.7 to patch the vulnerability.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2010-3708

GHSA-QVQ6-CW53-RMWG

RHSA-2010:0937

RHSA-2010:0938

Affected Products

Jboss Drools

Red Hat Jboss Enterprise Application Platform

Red Hat Jboss Enterprise Soa Platform

PT-2010-5017 · Red Hat · Jboss Drools+2

CVE-2010-3708

Weakness Enumeration

Related Identifiers

Affected Products

References · 11