PT-2013-1602 · Red Hat · Jboss Web Platform+3

Carlo De Wolf

Published

2013-02-05

Updated

2017-08-29

CVE-2012-3369

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0 JBoss Web Platform (EWP) versions prior to 5.2.0 JBoss BRMS Platform versions prior to 5.3.1 JBoss SOA Platform versions prior to 5.3.1

Description The issue allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. This occurs due to a flaw in the CallerIdentityLoginModule.

Recommendations For JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0, update to version 5.2.0 or later. For JBoss Web Platform (EWP) versions prior to 5.2.0, update to version 5.2.0 or later. For JBoss BRMS Platform versions prior to 5.3.1, update to version 5.3.1 or later. For JBoss SOA Platform versions prior to 5.3.1, update to version 5.3.1 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2012-3369

RHSA-2013:0191

RHSA-2013:0192

RHSA-2013:0193

RHSA-2013:0195

RHSA-2013:0196

RHSA-2013:0197

Affected Products

Jboss Brms Platform

Red Hat Jboss Enterprise Application Platform

Jboss Soa Platform

Jboss Web Platform

PT-2013-1602 · Red Hat · Jboss Web Platform+3

CVE-2012-3369

Weakness Enumeration

Related Identifiers

Affected Products

References · 18