{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-16T00:00:00", "descriptions": [{"lang": "en", "value": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-07-22T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2014:0887", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:43:06.485Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2014:0887", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3518", "datePublished": "2014-07-22T20:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:43:06.485Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "46849C8D-36E9-4E97-BB49-E04F4EB199E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "A6B1CE36-5131-425D-90BD-FC597F27B3E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "93B87581-F441-4A93-B797-337B7572CC08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors."}, {"lang": "es", "value": "jmx-remoting.sar en JBoss Remoting, utilizado en Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2 y Red Hat JBoss SOA Platform 5.3.1, no implementa debidamente la especificaci\u00f3n JSR 160, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados."}], "id": "CVE-2014-3518", "lastModified": "2014-07-23T13:14:26.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-22T20:55:01.843", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0887.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Harun ESUR (Sceptive) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2014:0887", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3.1", "package": "remoting", "product_name": "JBoss Enterprise BRMS Platform 5.3", "release_date": "2014-07-16T00:00:00Z"}, {"advisory": "RHSA-2014:0887", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2", "package": "remoting", "product_name": "Red Hat JBoss Enterprise Application Platform 5.2", "release_date": "2014-07-16T00:00:00Z"}, {"advisory": "RHSA-2014:0887", "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2", "package": "remoting", "product_name": "Red Hat JBoss Portal 5.2", "release_date": "2014-07-16T00:00:00Z"}, {"advisory": "RHSA-2014:0887", "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3.1", "package": "remoting", "product_name": "Red Hat JBoss SOA Platform 5.3", "release_date": "2014-07-16T00:00:00Z"}], "bugzilla": {"description": "5: Remote code execution via unauthenticated JMX/RMI connector", "id": "1112545", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112545"}, "csaw": false, "cvss": {"cvss_base_score": "7.5", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-306", "details": ["jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.", "JBoss Application Server 5 and supported Red Hat JBoss 5.x products contain JBoss Remoting, which includes a partial implementation of the JMX remoting specification JSR 160. This implementation is provided in jmx-remoting.sar, which is deployed by default in unsupported community releases of JBoss Application Server 5.x. This implementation does not implement security as defined in JSR 160, and therefore does not apply any authentication or authorization constraints. A remote attacker could use this flaw to potentially execute arbitrary code on a vulnerable server. All of the supported Red Hat JBoss 5.x products are not affected by this issue in their default configuration. These products are only vulnerable if JMX remoting is enabled by manually deploying jmx-remoting.sar from the jboss-as/docs/examples directory. Unsupported community releases of JBoss Application Server 5.x are affected. All users of the standalone JBoss Remoting project are also affected.\nFor more information, see https://access.redhat.com/solutions/1120423"], "name": "CVE-2014-3518", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4", "fix_state": "Not affected", "package_name": "remoting", "product_name": "Red Hat JBoss Enterprise Application Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "remoting", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}], "public_date": "2014-07-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3518\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3518\nhttps://access.redhat.com/solutions/1120423"], "threat_severity": "Important"}