CVE-2013-4210 – Remoting: DoS by file descriptor exhaustion
https://notcve.org/view.php?id=CVE-2013-4210
The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other products allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. La clase org.jboss.remoting.transport.socket.ServerThread en Red Hat JBoss Remoting para Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, y otros productos, permite a atacantes remotos causar denegación de servicio (consumo de descriptores de fichero) a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2013-1369.html http://rhn.redhat.com/errata/RHSA-2013-1370.html http://rhn.redhat.com/errata/RHSA-2013-1371.html http://rhn.redhat.com/errata/RHSA-2013-1372.html http://rhn.redhat.com/errata/RHSA-2013-1373.html http://rhn.redhat.com/errata/RHSA-2013-1374.html http://rhn.redhat.com/errata/RHSA-2013-1448.html https://access.redhat.com/security/cve/CVE-2013-4210 https://bugzilla.redhat.com/show_bug.cgi?id=994321 •
CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. ResourceBuilderImpl.java en la implementación de RichFaces 3.x a 5.x en la implementación de Red Hat JBoss Web Framework Kit anterior a 2.3.0, Red Hat JBoss Web Platform a 5.2.0, Red Hat JBoss Enterprise Application Platform a 4.3.0 CP10 y 5.x a la 5.2.0, Red Hat JBoss BRMS hasta la 5.3.1, Red Hat JBoss SOA Platform hasta la 4.3.0 CP05 y 5.x hasta la 5.3.1, Red Hat JBoss Portal hasta la 4.3 CP07 y 5.x hasta 5.2.2, y Red Hat JBoss Operations Network hasta 2.4.2 y 3.x hasta la 3.1.2, no restringe las clases para la deserialización de los métodos que pueden ser invocados, lo que permite a atacantes remotos ejecutar código arbitrario a través de datos serializados. • https://github.com/Pastea/CVE-2013-2165 http://jvn.jp/en/jp/JVN38787103/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072 http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html http://rhn.redhat.com/errata/RHSA-2013-1041.html http://rhn.redhat.com/errata/RHSA-2013-1042.html http://rhn.redhat.com/errata/RHSA-2013-1043.html http://rhn.redhat.com/errata/RHSA-2013-1044.html http://rhn.redhat.com/errata/RHSA-2013-1045.html http:/ • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •
CVE-2011-2908 – CSRF on jmx-console allows invocation of operations on mbeans
https://notcve.org/view.php?id=CVE-2011-2908
Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en JMX Console (jmx-console) en JBoss Enterprise Portal Platform anterior a v5.2.2, BRMS Platform v5.3.0 anterior a roll up patch1, y SOA Platform v5.3.0, permite a atacantes remotos autenticados secuestrar la autenticación de usuarios arbitrarios para solicitudes que lleven a cabo operaciones en MBeans y posiblemente ejecutar código arbitrario mediante vectores desconocidos. • http://rhn.redhat.com/errata/RHSA-2012-1152.html http://rhn.redhat.com/errata/RHSA-2012-1165.html http://rhn.redhat.com/errata/RHSA-2012-1232.html http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn • CWE-352: Cross-Site Request Forgery (CSRF) •