Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-7210

JBWEB-212: CVE-2011-3190 - authentication bypass and information disclosure

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: EAP_EWP 5.2.0
    • Component/s: Web
    • Labels:
      None
    • Affects:
      Release Notes
    • Patch Instructions:
      Hide
      SHORT DESCRIPTION:
              Provide fix for JBWEB-212.
      LONG DESCRIPTION:
              Patch to fix CVE-2011-3190 - authentication bypass and information disclosure.
      MANUAL INSTALL INSTRUCTIONS:
              Replace the existing %JBOSS_HOME%/server/%JBOSSCONF%/deploy/jbossweb.sar/jbossweb.jar with the new jbossweb.jar
      COMPATIBILITY:
             5.1.2
      SUPERSEDES:
              N/A
      CREATOR:
              Jean Frederic Clere
      DATE:
              9-September-2011
      Show
      SHORT DESCRIPTION:         Provide fix for JBWEB-212 . LONG DESCRIPTION:         Patch to fix CVE-2011-3190 - authentication bypass and information disclosure. MANUAL INSTALL INSTRUCTIONS:         Replace the existing %JBOSS_HOME%/server/%JBOSSCONF%/deploy/jbossweb.sar/jbossweb.jar with the new jbossweb.jar COMPATIBILITY:        5.1.2 SUPERSEDES:         N/A CREATOR:         Jean Frederic Clere DATE:         9-September-2011
    • Release Notes Text:
      Hide
      It was found that when an AJP message with a request body was received, an unsolicited AJP message containing the first part or the entire request body was sent to the web server under certain circumstances. This injected message could be processed as a new request which would permit an attacker to gain full control over the AJP message and bypass authentication, and lead to information disclosure. With this update, such message injections no longer take place.
      Show
      It was found that when an AJP message with a request body was received, an unsolicited AJP message containing the first part or the entire request body was sent to the web server under certain circumstances. This injected message could be processed as a new request which would permit an attacker to gain full control over the AJP message and bypass authentication, and lead to information disclosure. With this update, such message injections no longer take place.
    • Release Notes Docs Status:
      Documented as Resolved Issue
    • Docs QE Status:
      NEW

      Description

      Incorporate fix for this CVE by Jean-Frederic Clere (r1836)

      https://home.corp.redhat.com/wiki/jboss-web-cve

        Gliffy Diagrams

          Attachments

            Issue Links

            incorporates

            Bug - A problem which impairs or prevents the functions of the product. JBWEB-212 CVE-2011-3190 - authentication bypass and information disclosure

            • Major - A request that should be considered seriously but is not a show stopper.
            • Resolved

              Activity

                People

                • Assignee:
                  jstefl Jan Stefl
                  Reporter:
                  mmusaji Mustafa Musaji
                  Writer:
                  Eva Kopalova
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: