CVE-2018-1000130 - Vulnerability Details - OpenCVE

A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.91023.

Key SSVC decision points have not yet been added.

Vendors	Products
Jolokia	Webarchive Agent
Redhat	Jboss Fuse

Configuration 1 [-]

cpe:2.3:a:jolokia:webarchive_agent:1.3.7:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss Fuse 7
jolokia-core	cpe:/a:redhat:jboss_fuse:7	RHSA-2018:2669	2018-09-11T00:00:00Z

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-rhqj-4pp8-vvgf	Injection in Jolokia agent

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2018:2669
https://jolokia.org/#Security_fixes_with_1.5.0
https://nvd.nist.gov/vuln/detail/CVE-2018-1000130
https://www.cve.org/CVERecord?id=CVE-2018-1000130

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-03-14T13:00:00

Updated: 2024-08-05T12:33:49.337Z

Reserved: 2018-03-14T00:00:00

Link: CVE-2018-1000130

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-03-14T13:29:00.300

Modified: 2024-11-21T03:39:44.780

Link: CVE-2018-1000130

Redhat

Severity : Important

Publid Date: 2018-02-08T00:00:00Z

Links: CVE-2018-1000130 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-22T00:00:00", "datePublic": "2018-02-08T00:00:00", "descriptions": [{"lang": "en", "value": "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-09-12T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}, {"name": "RHSA-2018:2669", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2669"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-02-22", "ID": "CVE-2018-1000130", "REQUESTER": "mhopkins@gdssecurity.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://jolokia.org/#Security_fixes_with_1.5.0", "refsource": "CONFIRM", "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}, {"name": "RHSA-2018:2669", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2669"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.337Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}, {"name": "RHSA-2018:2669", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2669"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000130", "datePublished": "2018-03-14T13:00:00", "dateReserved": "2018-03-14T00:00:00", "dateUpdated": "2024-08-05T12:33:49.337Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jolokia:webarchive_agent:1.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "D72882E2-6003-47AA-AD79-CC827A25A60F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n JNDI en la versi\u00f3n 1.3.7 del agente Jolokia, en el modo proxy, que permite que un atacante remoto ejecute c\u00f3digo Java arbitrario en el servidor."}], "id": "CVE-2018-1000130", "lastModified": "2024-11-21T03:39:44.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-14T13:29:00.300", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2669"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2669"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jolokia.org/#Security_fixes_with_1.5.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2018:2669", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "jolokia-core", "product_name": "Red Hat JBoss Fuse 7", "release_date": "2018-09-11T00:00:00Z"}], "bugzilla": {"description": "jolokia: JMX proxy mode vulnerable to remote code execution", "id": "1559316", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1559316"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-99", "details": ["A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server."], "name": "CVE-2018-1000130", "package_state": [{"cpe": "cpe:/a:redhat:jboss_dev_studio:11.", "fix_state": "Not affected", "package_name": "jolokia-core", "product_name": "JBoss Developer Studio 11"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "jolokia-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Will not fix", "package_name": "jolokia-core", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "jolokia-client-java", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Will not fix", "package_name": "jolokia-core", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:fuse_integration_services:2", "fix_state": "Affected", "package_name": "jolokia-core", "product_name": "Red Hat JBoss Fuse Integration Service 2"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Not affected", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "impact": "low", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2018-02-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000130\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000130\nhttps://jolokia.org/#Security_fixes_with_1.5.0"], "statement": "For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.", "threat_severity": "Important"}