製品・ソフトウェアに関する情報

JVN脆弱性詳細

JBoss RichFaces において任意のコードが実行される脆弱性

Title	JBoss RichFaces において任意のコードが実行される脆弱性
Summary	JBoss RichFaces には、deserialize の処理に問題があり、任意のコードが実行される脆弱性が存在します。 JBoss RichFaces は、Ajax 機能を持つウェブアプリケーションを作成するためのフレームワークです。JBoss RichFaces で作成されたアプリケーションには、外部からの入力を自動的に deserialize する機能が提供されています。この機能は、信頼できないデータを deserialize してしまうため、任意のコードが実行される脆弱性が存在します。この脆弱性情報は、情報セキュリティ早期警戒パートナーシップに基づき下記の方が IPA に報告し、JPCERT/CC が開発者との調整を行いました。報告者: 三井物産セキュアディレクション株式会社寺田健氏
Possible impacts	細工された入力を処理することで、サーバ上で任意のファイルが書き込まれたり、任意のコードを実行されたりするなどの可能性があります。
Solution	[パッチを適用する] 開発者が提供する情報をもとに各バージョンに対応したパッチを適用してください。
Publication Date	July 19, 2013, midnight
Registration Date	July 19, 2013, noon
Last Update	July 24, 2013, 4:16 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

レッドハット

JBoss Enterprise Application Platform 4.3.0 CP10 まで

JBoss Enterprise Application Platform 5.2.0 までの 5.x

JBoss Enterprise Web Platform 5.2.0 まで

JBoss RichFaces 3.x

JBoss RichFaces 4.x

JBoss RichFaces 5.x

JBoss Web Framework Kit 2.3.0 未満

Red Hat JBoss BRMS 5.3.1 まで

Red Hat JBoss Operations Network 2.4.2 まで

Red Hat JBoss Operations Network 3.1.2 までの 3.x

Red Hat JBoss Portal 4.3 CP07 まで

Red Hat JBoss Portal 5.2.2 までの 5.x

Red Hat JBoss SOA Platform 4.3.0 CP05 まで

Red Hat JBoss SOA Platform 5.3.1 までの 5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-2165	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2165
National Vulnerability Database (NVD)
2	CVE-2013-2165	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2165
Red Hat
3	CVE-2013-2165	https://access.redhat.com/security/cve/CVE-2013-2165

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
Red Hat Bugzilla
1	Bug 973570 - CVE-2013-2165 JBoss RichFaces: Remote code execution due to insecure deserialization	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2165

その他

No	Name	URL
IPA 重要なセキュリティ情報
1	「JBoss RichFaces」において任意のコードが実行される脆弱性対策について (JVN#38787103)	https://www.ipa.go.jp/security/ciadr/vul/20130719-jvn.html
JVN
2	JVN#38787103	http://jvn.jp/jp/JVN38787103/index.html

Change Log

No	Changed Details	Date of change
0	[2013年07月19日] 掲載 [2013年07月24日] 影響を受けるシステム：内容を更新参考情報：National Vulnerability Database (NVD) (CVE-2013-2165) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-2165

Summary	ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
Publication Date	July 23, 2013, 8:03 p.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:51 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:jboss_operations_network:3.0:::::::*
cpe:2.3:a:redhat:richfaces:4.5.0:alpha1::::::
cpe:2.3:a:redhat:richfaces:3.3.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp03::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:2.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:::::::*
cpe:2.3:a:redhat:richfaces:3.2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.2:::::::*
cpe:2.3:a:redhat:richfaces:5.0.0:alpha1::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:1.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.1.2:::::::*
cpe:2.3:a:redhat:richfaces:3.3.3:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp06::::::
cpe:2.3:a:redhat:jboss_operations_network:2.4.2:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.3.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:1.2.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.4:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01::::::
cpe:2.3:a:redhat:richfaces:3.1.4:::::::*
cpe:2.3:a:redhat:richfaces:4.2.3:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:::::::*
cpe:2.3:a:redhat:richfaces:4.2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:1.0.0:::::::*
cpe:2.3:a:redhat:richfaces:4.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.5:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07::::::
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:::::::*
cpe:2.3:a:redhat:richfaces:3.1.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit::::::::		2.2.0
cpe:2.3:a:redhat:richfaces:3.2.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.1.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.3:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04::::::
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.3.2:sr1::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04::::::
cpe:2.3:a:redhat:jboss_web_framework_kit:1.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.6:::::::*
cpe:2.3:a:redhat:richfaces:3.3.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03::::::
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:::::::*
cpe:2.3:a:redhat:richfaces:4.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:::::::*
cpe:2.3:a:redhat:richfaces:3.3.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.1:::::::*
cpe:2.3:a:redhat:richfaces:4.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.0.0:::::::*
cpe:2.3:a:redhat:richfaces:4.3.1:::::::*
cpe:2.3:a:redhat:richfaces:3.2.0:sr1::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp05::::::
cpe:2.3:a:redhat:richfaces:3.1.3:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.1.1:::::::*
cpe:2.3:a:redhat:richfaces:4.3.0:::::::*
cpe:2.3:a:redhat:richfaces:3.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05::::::
cpe:2.3:a:redhat:jboss_operations_network:2.4.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03::::::
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:2.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.2:::::::*
cpe:2.3:a:redhat:richfaces:4.2.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp04::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://jvn.jp/en/jp/JVN38787103/index.html	Third Party Advisory VDB Entry
2	http://jvn.jp/en/jp/JVN38787103/index.html	Third Party Advisory VDB Entry
3	http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072	Third Party Advisory VDB Entry
4	http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072	Third Party Advisory VDB Entry
5	http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
6	http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
7	http://rhn.redhat.com/errata/RHSA-2013-1041.html	Vendor Advisory
8	http://rhn.redhat.com/errata/RHSA-2013-1041.html	Vendor Advisory
9	http://rhn.redhat.com/errata/RHSA-2013-1042.html	Vendor Advisory
10	http://rhn.redhat.com/errata/RHSA-2013-1042.html	Vendor Advisory
11	http://rhn.redhat.com/errata/RHSA-2013-1043.html	Vendor Advisory
12	http://rhn.redhat.com/errata/RHSA-2013-1043.html	Vendor Advisory
13	http://rhn.redhat.com/errata/RHSA-2013-1044.html	Vendor Advisory
14	http://rhn.redhat.com/errata/RHSA-2013-1044.html	Vendor Advisory
15	http://rhn.redhat.com/errata/RHSA-2013-1045.html	Vendor Advisory
16	http://rhn.redhat.com/errata/RHSA-2013-1045.html	Vendor Advisory
17	http://seclists.org/fulldisclosure/2020/Mar/21
18	http://seclists.org/fulldisclosure/2020/Mar/21
19	https://access.redhat.com/security/cve/CVE-2013-2165	Vendor Advisory
20	https://access.redhat.com/security/cve/CVE-2013-2165	Vendor Advisory
21	https://bugzilla.redhat.com/show_bug.cgi?id=973570	Issue Tracking Vendor Advisory
22	https://bugzilla.redhat.com/show_bug.cgi?id=973570	Issue Tracking Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:jboss_operations_network:3.0:::::::*
cpe:2.3:a:redhat:richfaces:4.5.0:alpha1::::::
cpe:2.3:a:redhat:richfaces:3.3.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp03::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:2.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:::::::*
cpe:2.3:a:redhat:richfaces:3.2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.2:::::::*
cpe:2.3:a:redhat:richfaces:5.0.0:alpha1::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:1.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.1.2:::::::*
cpe:2.3:a:redhat:richfaces:3.3.3:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp06::::::
cpe:2.3:a:redhat:jboss_operations_network:2.4.2:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.3.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:1.2.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.4:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01::::::
cpe:2.3:a:redhat:richfaces:3.1.4:::::::*
cpe:2.3:a:redhat:richfaces:4.2.3:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:::::::*
cpe:2.3:a:redhat:richfaces:4.2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:1.0.0:::::::*
cpe:2.3:a:redhat:richfaces:4.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.5:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07::::::
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:::::::*
cpe:2.3:a:redhat:richfaces:3.1.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit::::::::		2.2.0
cpe:2.3:a:redhat:richfaces:3.2.1:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.1.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.3:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04::::::
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.3.2:sr1::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04::::::
cpe:2.3:a:redhat:jboss_web_framework_kit:1.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.6:::::::*
cpe:2.3:a:redhat:richfaces:3.3.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03::::::
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:::::::*
cpe:2.3:a:redhat:richfaces:4.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:::::::*
cpe:2.3:a:redhat:richfaces:3.3.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.1:::::::*
cpe:2.3:a:redhat:richfaces:4.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.0.0:::::::*
cpe:2.3:a:redhat:richfaces:4.3.1:::::::*
cpe:2.3:a:redhat:richfaces:3.2.0:sr1::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp05::::::
cpe:2.3:a:redhat:richfaces:3.1.3:::::::*
cpe:2.3:a:redhat:jboss_operations_network:3.1.1:::::::*
cpe:2.3:a:redhat:richfaces:4.3.0:::::::*
cpe:2.3:a:redhat:richfaces:3.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.1.0:::::::*
cpe:2.3:a:redhat:jboss_operations_network:2.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05::::::
cpe:2.3:a:redhat:jboss_operations_network:2.4.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03::::::
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.1:::::::*
cpe:2.3:a:redhat:jboss_web_framework_kit:2.1.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.0:::::::*
cpe:2.3:a:redhat:richfaces:3.1.2:::::::*
cpe:2.3:a:redhat:richfaces:4.2.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.2.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp04::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02::::::
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:::::::*