製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Red Hat JBoss 製品で使用される Apache Commons FileUpload における任意のファイルに書き込まれる脆弱性

Title	複数の Red Hat JBoss 製品で使用される Apache Commons FileUpload における任意のファイルに書き込まれる脆弱性
Summary	Red Hat JBoss Enterprise BRMS Platform、JBoss Enterprise Portal Platform、および JBoss Enterprise Web Server で使用される Apache Commons FileUpload の DiskFileItem クラスには、任意のファイルに書き込まれる脆弱性が存在します。
Possible impacts	第三者により、シリアル化されたインスタンス内の NULL バイトを含むファイル名を介して、任意のファイルに書き込まれる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 15, 2013, midnight
Registration Date	Oct. 30, 2013, 4:05 p.m.
Last Update	Feb. 4, 2016, 4:51 p.m.

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

レッドハット

JBoss Enterprise Web Server 1.0.2

Red Hat JBoss BRMS 5.3.1

Red Hat JBoss Portal 4.3 CP07

Red Hat JBoss Portal 5.2.2

Red Hat JBoss Portal 6.0.0

Red Hat JBoss Portal 4.3 CP07

Red Hat JBoss Portal 5.2.2

Red Hat JBoss Portal 6.0.0

オラクル

Oracle Communications Applications の Oracle Communications Converged Application Server - Service Controller 6.1

Oracle Communications Applications の Oracle Communications Online Mediation Controller 6.1

Oracle Communications Applications の Oracle Communications Service Broker 6.0, 6.1

Oracle Communications Applications の Oracle Communications Service Broker Engineered System Edition 6.0

Oracle Communications Applications の Oracle Communications Converged Application Server - Service Controller 6.1

Oracle Communications Applications の Oracle Communications Online Mediation Controller 6.1

Oracle Communications Applications の Oracle Communications Service Broker 6.0, 6.1

Oracle Communications Applications の Oracle Communications Service Broker Engineered System Edition 6.0

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 11.1.3

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.1.4

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 11.1.3

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.1.4

Oracle Fusion Middleware の Oracle Business Intelligence Enterprise Edition 11.1.1.7

Oracle Fusion Middleware の Oracle Business Intelligence Enterprise Edition 11.1.1.9

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 11.1.1.7

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 7.0

Oracle Fusion Middleware の Oracle Traffic Director 11.1.1.7.0

Oracle Fusion Middleware の Oracle WebLogic Portal 10.3.6

Oracle Fusion Middleware の Oracle WebLogic Server 10.3.6.0

Oracle Fusion Middleware の Oracle WebLogic Server 12.1.1.0

Oracle Fusion Middleware の Oracle WebLogic Server 12.1.2.0

Oracle Fusion Middleware の Oracle WebLogic Server 12.1.3.0

Oracle Fusion Middleware の Oracle Business Intelligence Enterprise Edition 11.1.1.7

Oracle Fusion Middleware の Oracle Business Intelligence Enterprise Edition 11.1.1.9

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 11.1.1.7

Oracle Fusion Middleware の Oracle Directory Server Enterprise Edition 7.0

Oracle Fusion Middleware の Oracle Traffic Director 11.1.1.7.0

Oracle Fusion Middleware の Oracle WebLogic Portal 10.3.6

Oracle Fusion Middleware の Oracle WebLogic Server 10.3.6.0

Oracle Fusion Middleware の Oracle WebLogic Server 12.1.1.0

Oracle Fusion Middleware の Oracle WebLogic Server 12.1.2.0

Oracle Fusion Middleware の Oracle WebLogic Server 12.1.3.0

Oracle Industry Applications の Oracle Healthcare Master Person Index 1.x

Oracle Industry Applications の Oracle Healthcare Master Person Index 2.x

Oracle Industry Applications の Oracle Healthcare Master Person Index 1.x

Oracle Industry Applications の Oracle Healthcare Master Person Index 2.x

Oracle OpenSSO 3.0-05

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-2186	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
2	CVE-2013-2186	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
National Vulnerability Database (NVD)
3	CVE-2013-2186	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186
4	CVE-2013-2186	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Oracle Critical Patch Update
1	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
2	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
3	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
4	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
5	Oracle Critical Patch Update Advisory - July 2015	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
6	Oracle Critical Patch Update Advisory - July 2015	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
7	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
8	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
9	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
10	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
11	Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html
12	Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html
Red Hat Security Advisory
13	RHSA-2013:1428	http://rhn.redhat.com/errata/RHSA-2013-1428.html
14	RHSA-2013:1428	http://rhn.redhat.com/errata/RHSA-2013-1428.html
15	RHSA-2013:1429	http://rhn.redhat.com/errata/RHSA-2013-1429.html
16	RHSA-2013:1429	http://rhn.redhat.com/errata/RHSA-2013-1429.html
17	RHSA-2013:1430	http://rhn.redhat.com/errata/RHSA-2013-1430.html
18	RHSA-2013:1430	http://rhn.redhat.com/errata/RHSA-2013-1430.html
19	RHSA-2013:1448	http://rhn.redhat.com/errata/RHSA-2013-1448.html
20	RHSA-2013:1448	http://rhn.redhat.com/errata/RHSA-2013-1448.html
21	RHSA-2016:0070	https://access.redhat.com/errata/RHSA-2016:0070
22	RHSA-2016:0070	https://access.redhat.com/errata/RHSA-2016:0070
SECURITY BLOG
23	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
24	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
25	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
26	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
27	July 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2015_critical_patch_update
28	July 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2015_critical_patch_update

Change Log

No	Changed Details	Date of change
0	[2013年10月30日] 掲載 [2015年01月22日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2015年07月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices) を追加ベンダ情報：オラクル (July 2015 Critical Patch Update Released) を追加 [2016年01月28日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加 [2016年02月04日] ベンダ情報：レッドハット (RHSA-2016:0070) を追加	Feb. 17, 2018, 10:37 a.m.
0	[2013年10月30日] 掲載 [2015年01月22日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2015年07月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices) を追加ベンダ情報：オラクル (July 2015 Critical Patch Update Released) を追加 [2016年01月28日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加 [2016年02月04日] ベンダ情報：レッドハット (RHSA-2016:0070) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-2186

Summary	The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publication Date	Oct. 29, 2013, 6:55 a.m.
Registration Date	Jan. 26, 2021, 3:38 p.m.
Last Update	Nov. 21, 2024, 10:51 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:::::::*
cpe:2.3:a:redhat:openshift:::::enterprise:::*		3.1
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server:1.0.2:::::::*
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07::::::
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:6.0.0:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:ubuntu:ubuntu:10.04::lts:::::

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00008.html
2	http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00008.html
3	http://lists.opensuse.org/opensuse-updates/2013-10/msg00033.html
4	http://lists.opensuse.org/opensuse-updates/2013-10/msg00033.html
5	http://lists.opensuse.org/opensuse-updates/2013-10/msg00050.html
6	http://lists.opensuse.org/opensuse-updates/2013-10/msg00050.html
7	http://rhn.redhat.com/errata/RHSA-2013-1428.html	Vendor Advisory
8	http://rhn.redhat.com/errata/RHSA-2013-1428.html	Vendor Advisory
9	http://rhn.redhat.com/errata/RHSA-2013-1429.html	Vendor Advisory
10	http://rhn.redhat.com/errata/RHSA-2013-1429.html	Vendor Advisory
11	http://rhn.redhat.com/errata/RHSA-2013-1430.html	Vendor Advisory
12	http://rhn.redhat.com/errata/RHSA-2013-1430.html	Vendor Advisory
13	http://rhn.redhat.com/errata/RHSA-2013-1442.html
14	http://rhn.redhat.com/errata/RHSA-2013-1442.html
15	http://rhn.redhat.com/errata/RHSA-2013-1448.html	Vendor Advisory
16	http://rhn.redhat.com/errata/RHSA-2013-1448.html	Vendor Advisory
17	http://secunia.com/advisories/55716
18	http://secunia.com/advisories/55716
19	http://ubuntu.com/usn/usn-2029-1
20	http://ubuntu.com/usn/usn-2029-1
21	http://www.debian.org/security/2013/dsa-2827
22	http://www.debian.org/security/2013/dsa-2827
23	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
24	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
25	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
26	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
27	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
28	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
29	http://www.securityfocus.com/bid/63174
30	http://www.securityfocus.com/bid/63174
31	https://access.redhat.com/errata/RHSA-2016:0070
32	https://access.redhat.com/errata/RHSA-2016:0070
33	https://exchange.xforce.ibmcloud.com/vulnerabilities/88133
34	https://exchange.xforce.ibmcloud.com/vulnerabilities/88133
35	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01
36	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01
37	https://www.tenable.com/security/research/tra-2016-23
38	https://www.tenable.com/security/research/tra-2016-23

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html