Rapid7 Vulnerability & Exploit Database

Red Hat JBoss: CVE-2012-0874: A remote attacker could invoke MBean methods and run arbitrary code in the context of the user running the JBoss server.

Back to Search

Red Hat JBoss: CVE-2012-0874: A remote attacker could invoke MBean methods and run arbitrary code in the context of the user running the JBoss server.

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
02/05/2013
Created
07/25/2018
Added
08/01/2017
Modified
08/01/2017

Description

The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.

Solution(s)

  • jboss_enterprise_application_platform-cve-2012-0874-1

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;