CVE-2012-0874

Name of the Vulnerable Software and Affected Versions JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0 Web Platform (EWP) versions prior to 5.2.0 BRMS Platform versions prior to 5.3.1 SOA Platform versions prior to 5.3.1

Description The issue concerns the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets, which do not require authentication by default in certain profiles. This might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. The issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.

Recommendations For JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0, update to version 5.2.0 or later. For Web Platform (EWP) versions prior to 5.2.0, update to version 5.2.0 or later. For BRMS Platform versions prior to 5.3.1, update to version 5.3.1 or later. For SOA Platform versions prior to 5.3.1, update to version 5.3.1 or later. As a temporary workaround, consider configuring the interceptor with a "second layer of authentication" to prevent exploitation.