CVE-2013-2165

Name of the Vulnerable Software and Affected Versions Red Hat JBoss Web Framework Kit versions 2.3.0 and earlier Red Hat JBoss Web Platform versions 5.2.0 and earlier Red Hat JBoss Enterprise Application Platform versions prior to 4.3.0 CP10 and 5.x through 5.2.0 Red Hat JBoss BRMS versions 5.3.1 and earlier Red Hat JBoss SOA Platform versions prior to 4.3.0 CP05 and 5.x through 5.3.1 Red Hat JBoss Portal versions prior to 4.3 CP07 and 5.x through 5.2.2 Red Hat JBoss Operations Network versions 2.4.2 and earlier and 3.x through 3.1.2 RichFaces versions 3.x through 5.x

Description A flaw in the RichFaces implementation allows remote attackers to execute arbitrary code via crafted serialized data, as it does not restrict the classes for which deserialization methods can be called. This could lead to various security impacts depending on the deserialization logic of the classes deployed on the server.

Recommendations For Red Hat JBoss Web Framework Kit versions 2.3.0 and earlier, update to version 2.3.0 or later. For Red Hat JBoss Web Platform versions 5.2.0 and earlier, update to version 5.2.0 or later. For Red Hat JBoss Enterprise Application Platform versions prior to 4.3.0 CP10 and 5.x through 5.2.0, update to version 4.3.0 CP10 or version 5.2.0 or later. For Red Hat JBoss BRMS versions 5.3.1 and earlier, update to version 5.3.1 or later. For Red Hat JBoss SOA Platform versions prior to 4.3.0 CP05 and 5.x through 5.3.1, update to version 4.3.0 CP05 or version 5.3.1 or later. For Red Hat JBoss Portal versions prior to 4.3 CP07 and 5.x through 5.2.2, update to version 4.3 CP07 or version 5.2.2 or later. For Red Hat JBoss Operations Network versions 2.4.2 and earlier and 3.x through 3.1.2, update to version 2.4.2 or version 3.1.2 or later. For RichFaces versions 3.x through 5.x, consider restricting the classes for which deserialization methods can be called as a temporary workaround until a patch is available.