製品・ソフトウェアに関する情報

JVN脆弱性詳細

Oracle Mojarra におけるクロスサイトスクリプティングの脆弱性

Title	Oracle Mojarra におけるクロスサイトスクリプティングの脆弱性
Summary	Oracle Mojarra は、スクリプタスタイルのブロック後に (1) tag または (2) EL エクスプレッションが使用されている場合、適切なエンコードを実行しないため、クロスサイトスクリプティング (XSS) 攻撃を実行される脆弱性が存在します。
Possible impacts	第三者により、アプリケーション固有の要因を介して、クロスサイトスクリプティング (XSS) 攻撃を実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 18, 2013, midnight
Registration Date	July 18, 2014, 6:41 p.m.
Last Update	Jan. 29, 2016, 4:29 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

オラクル

Mojarra 2.1.28 未満の 2.1.x

Mojarra 2.2.6 未満の 2.2.x

Mojarra 2.1.28 未満の 2.1.x

Mojarra 2.2.6 未満の 2.2.x

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

Oracle Fusion Middleware の Oracle JDeveloper 11.1.2.4.0

Oracle Fusion Middleware の Oracle JDeveloper 12.1.2.0.0

Oracle Fusion Middleware の Oracle JDeveloper 11.1.2.4.0

Oracle Fusion Middleware の Oracle JDeveloper 12.1.2.0.0

Oracle GlassFish Server 3.0.1

Oracle GlassFish Server 3.1.2

Oracle GlassFish Server 3.0.1

Oracle GlassFish Server 3.1.2

Oracle WebLogic Server 12.1.1.0

Oracle WebLogic Server 12.1.2.0

Oracle WebLogic Server 12.1.1.0

Oracle WebLogic Server 12.1.2.0

日立

Cosminexus Component Container

uCosminexus Application Server

uCosminexus Application Server (64)

uCosminexus Application Server -R

uCosminexus Application Server

uCosminexus Application Server (64)

uCosminexus Application Server -R

uCosminexus Developer

uCosminexus Primary Server Base

uCosminexus Primary Server Base(64)

uCosminexus Primary Server Base

uCosminexus Primary Server Base(64)

uCosminexus Service Architect

uCosminexus Service Platform

uCosminexus Service Platform (64)

uCosminexus Service Platform

uCosminexus Service Platform (64)

プログラミング環境 for Java

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-5855	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5855
2	CVE-2013-5855	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5855
National Vulnerability Database (NVD)
3	CVE-2013-5855	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5855
4	CVE-2013-5855	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5855

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html
2	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Atlassian JIRA
1	JAVASERVERFACES-3150	https://java.net/jira/browse/JAVASERVERFACES-3150
2	JAVASERVERFACES-3150	https://java.net/jira/browse/JAVASERVERFACES-3150
3	JAVASERVERFACES_SPEC_PUBLIC-1258	https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258
4	JAVASERVERFACES_SPEC_PUBLIC-1258	https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258
Hewlett Packard
5	JSF outputText tag: the good, the bad and the ugly	http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8inSUCuapp
6	JSF outputText tag: the good, the bad and the ugly	http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8inSUCuapp
Hitachi Software Vulnerability Information
7	HS14-023	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-023/index.html
8	HS14-023	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-023/index.html
Oracle Critical Patch Update
9	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
10	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
11	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
12	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
13	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
14	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
15	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
16	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
Red Hat Security Advisory
17	RHSA-2015:0234	https://rhn.redhat.com/errata/RHSA-2015-0234.html
18	RHSA-2015:0234	https://rhn.redhat.com/errata/RHSA-2015-0234.html
19	RHSA-2015:0235	https://rhn.redhat.com/errata/RHSA-2015-0235.html
20	RHSA-2015:0235	https://rhn.redhat.com/errata/RHSA-2015-0235.html
21	RHSA-2015:0675	https://rhn.redhat.com/errata/RHSA-2015-0675.html
22	RHSA-2015:0675	https://rhn.redhat.com/errata/RHSA-2015-0675.html
23	RHSA-2015:0720	https://rhn.redhat.com/errata/RHSA-2015-0720.html
24	RHSA-2015:0720	https://rhn.redhat.com/errata/RHSA-2015-0720.html
25	RHSA-2015:0765	https://rhn.redhat.com/errata/RHSA-2015-0765.html
26	RHSA-2015:0765	https://rhn.redhat.com/errata/RHSA-2015-0765.html
SECURITY BLOG
27	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
28	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
29	July 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2014_critical_patch_update
30	July 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2014_critical_patch_update
ソフトウェア製品セキュリティ情報
31	HS14-023	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS14-023/index.html
32	HS14-023	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS14-023/index.html

Change Log

No	Changed Details	Date of change
0	[2014年07月18日] 掲載 [2014年11月04日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (HS14-023) を追加 [2015年03月02日] ベンダ情報：レッドハット (RHSA-2015:0234) を追加ベンダ情報：レッドハット (RHSA-2015:0235) を追加 [2015年05月08日] ベンダ情報：レッドハット (RHSA-2015:0675) を追加ベンダ情報：レッドハット (RHSA-2015:0720) を追加ベンダ情報：レッドハット (RHSA-2015:0765) を追加 [2016年01月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-5855

Summary	Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.
Publication Date	July 17, 2014, 2:10 p.m.
Registration Date	Jan. 26, 2021, 3:46 p.m.
Last Update	Nov. 21, 2024, 10:58 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:mojarra:2.1.2:::::::*
cpe:2.3:a:oracle:mojarra:2.2.2:::::::*
cpe:2.3:a:oracle:mojarra:2.1.16:::::::*
cpe:2.3:a:oracle:mojarra:2.1.13:::::::*
cpe:2.3:a:oracle:mojarra:2.1.12:::::::*
cpe:2.3:a:oracle:mojarra:2.1.3:::::::*
cpe:2.3:a:oracle:mojarra:2.2.5:::::::*
cpe:2.3:a:oracle:mojarra:2.1.10:::::::*
cpe:2.3:a:oracle:mojarra:2.1.20:::::::*
cpe:2.3:a:oracle:mojarra:2.1.4:::::::*
cpe:2.3:a:oracle:mojarra:2.2.1:::::::*
cpe:2.3:a:oracle:mojarra:2.2.3:::::::*
cpe:2.3:a:oracle:mojarra:2.1.18:::::::*
cpe:2.3:a:oracle:mojarra:2.2.0:::::::*
cpe:2.3:a:oracle:mojarra:2.1.6:::::::*
cpe:2.3:a:oracle:mojarra:2.1.22:::::::*
cpe:2.3:a:oracle:mojarra:2.1.9:::::::*
cpe:2.3:a:oracle:mojarra:2.1.15:::::::*
cpe:2.3:a:oracle:mojarra:2.1.25:::::::*
cpe:2.3:a:oracle:mojarra:2.1.7:::::::*
cpe:2.3:a:oracle:mojarra:2.1.1:::::::*
cpe:2.3:a:oracle:mojarra:2.1.23:::::::*
cpe:2.3:a:oracle:mojarra:2.1.5:::::::*
cpe:2.3:a:oracle:mojarra:2.1.11:::::::*
cpe:2.3:a:oracle:mojarra:2.1.24:::::::*
cpe:2.3:a:oracle:mojarra:2.1.8:::::::*
cpe:2.3:a:oracle:mojarra:2.1.26:::::::*
cpe:2.3:a:oracle:mojarra:2.1.17:::::::*
cpe:2.3:a:oracle:mojarra:2.1.27:::::::*
cpe:2.3:a:oracle:mojarra:2.1.14:::::::*
cpe:2.3:a:oracle:mojarra:2.1.19:::::::*
cpe:2.3:a:oracle:mojarra:2.1.21:::::::*
cpe:2.3:a:oracle:mojarra:2.1.0:::::::*
cpe:2.3:a:oracle:mojarra:2.2.4:::::::*

Related information, measures and tools

No	URL	タグ
1	http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU
2	http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/JSF-outputText-tag-the-good-the-bad-and-the-ugly/ba-p/6368011#.U8ccVPlXZHU
3	http://rhn.redhat.com/errata/RHSA-2015-0675.html
4	http://rhn.redhat.com/errata/RHSA-2015-0675.html
5	http://rhn.redhat.com/errata/RHSA-2015-0720.html
6	http://rhn.redhat.com/errata/RHSA-2015-0720.html
7	http://rhn.redhat.com/errata/RHSA-2015-0765.html
8	http://rhn.redhat.com/errata/RHSA-2015-0765.html
9	http://seclists.org/fulldisclosure/2014/Dec/23
10	http://seclists.org/fulldisclosure/2014/Dec/23
11	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
12	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
13	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html	Vendor Advisory
14	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html	Vendor Advisory
15	http://www.securityfocus.com/archive/1/534161/100/0/threaded
16	http://www.securityfocus.com/archive/1/534161/100/0/threaded
17	http://www.securityfocus.com/bid/65600
18	http://www.securityfocus.com/bid/65600
19	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
20	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
21	https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258
22	https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1258
23	https://java.net/jira/browse/JAVASERVERFACES-3150
24	https://java.net/jira/browse/JAVASERVERFACES-3150

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:mojarra:2.1.2:::::::*
cpe:2.3:a:oracle:mojarra:2.2.2:::::::*
cpe:2.3:a:oracle:mojarra:2.1.16:::::::*
cpe:2.3:a:oracle:mojarra:2.1.13:::::::*
cpe:2.3:a:oracle:mojarra:2.1.12:::::::*
cpe:2.3:a:oracle:mojarra:2.1.3:::::::*
cpe:2.3:a:oracle:mojarra:2.2.5:::::::*
cpe:2.3:a:oracle:mojarra:2.1.10:::::::*
cpe:2.3:a:oracle:mojarra:2.1.20:::::::*
cpe:2.3:a:oracle:mojarra:2.1.4:::::::*
cpe:2.3:a:oracle:mojarra:2.2.1:::::::*
cpe:2.3:a:oracle:mojarra:2.2.3:::::::*
cpe:2.3:a:oracle:mojarra:2.1.18:::::::*
cpe:2.3:a:oracle:mojarra:2.2.0:::::::*
cpe:2.3:a:oracle:mojarra:2.1.6:::::::*
cpe:2.3:a:oracle:mojarra:2.1.22:::::::*
cpe:2.3:a:oracle:mojarra:2.1.9:::::::*
cpe:2.3:a:oracle:mojarra:2.1.15:::::::*
cpe:2.3:a:oracle:mojarra:2.1.25:::::::*
cpe:2.3:a:oracle:mojarra:2.1.7:::::::*
cpe:2.3:a:oracle:mojarra:2.1.1:::::::*
cpe:2.3:a:oracle:mojarra:2.1.23:::::::*
cpe:2.3:a:oracle:mojarra:2.1.5:::::::*
cpe:2.3:a:oracle:mojarra:2.1.11:::::::*
cpe:2.3:a:oracle:mojarra:2.1.24:::::::*
cpe:2.3:a:oracle:mojarra:2.1.8:::::::*
cpe:2.3:a:oracle:mojarra:2.1.26:::::::*
cpe:2.3:a:oracle:mojarra:2.1.17:::::::*
cpe:2.3:a:oracle:mojarra:2.1.27:::::::*
cpe:2.3:a:oracle:mojarra:2.1.14:::::::*
cpe:2.3:a:oracle:mojarra:2.1.19:::::::*
cpe:2.3:a:oracle:mojarra:2.1.21:::::::*
cpe:2.3:a:oracle:mojarra:2.1.0:::::::*
cpe:2.3:a:oracle:mojarra:2.2.4:::::::*