PT-2011-3162 · Red Hat · Red Hat Jboss Enterprise Application Platform+2
Martin Kouba
·
Published
2011-07-27
·
Updated
2011-10-26
·
CVE-2011-1484
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
JBoss Seam 2 framework versions 2.2.x and earlier
Red Hat JBoss Enterprise SOA Platform versions 4.3.0.CP04 and 5.1.0
JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) versions 4.3.0.CP09 and 5.1.0
Description
The issue is related to the improper restriction of Expression Language (EL) statements in FacesMessages during page exception handling. This allows remote attackers to execute arbitrary Java code via a crafted URL to an application.
Recommendations
For JBoss Seam 2 framework versions 2.2.x and earlier, restrict the use of Expression Language (EL) statements in FacesMessages during page exception handling.
For Red Hat JBoss Enterprise SOA Platform versions 4.3.0.CP04 and 5.1.0, update the JBoss Seam 2 framework to a version that properly restricts EL statements.
For JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) versions 4.3.0.CP09 and 5.1.0, update the JBoss Seam 2 framework to a version that properly restricts EL statements.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Hat Jboss Enterprise Application Platform
Jboss Seam 2
Red Hat Jboss Enterprise Soa Platform