Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-7210

JBWEB-212: CVE-2011-3190 - authentication bypass and information disclosure

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Major
    • EAP_EWP 5.2.0
    • None
    • Web
    • None
    • Release Notes
    • Hide
      SHORT DESCRIPTION:
              Provide fix for JBWEB-212.
      LONG DESCRIPTION:
              Patch to fix CVE-2011-3190 - authentication bypass and information disclosure.
      MANUAL INSTALL INSTRUCTIONS:
              Replace the existing %JBOSS_HOME%/server/%JBOSSCONF%/deploy/jbossweb.sar/jbossweb.jar with the new jbossweb.jar
      COMPATIBILITY:
             5.1.2
      SUPERSEDES:
              N/A
      CREATOR:
              Jean Frederic Clere
      DATE:
              9-September-2011
      Show
      SHORT DESCRIPTION:         Provide fix for JBWEB-212. LONG DESCRIPTION:         Patch to fix CVE-2011-3190 - authentication bypass and information disclosure. MANUAL INSTALL INSTRUCTIONS:         Replace the existing %JBOSS_HOME%/server/%JBOSSCONF%/deploy/jbossweb.sar/jbossweb.jar with the new jbossweb.jar COMPATIBILITY:        5.1.2 SUPERSEDES:         N/A CREATOR:         Jean Frederic Clere DATE:         9-September-2011
    • Hide
      It was found that when an AJP message with a request body was received, an unsolicited AJP message containing the first part or the entire request body was sent to the web server under certain circumstances. This injected message could be processed as a new request which would permit an attacker to gain full control over the AJP message and bypass authentication, and lead to information disclosure. With this update, such message injections no longer take place.
      Show
      It was found that when an AJP message with a request body was received, an unsolicited AJP message containing the first part or the entire request body was sent to the web server under certain circumstances. This injected message could be processed as a new request which would permit an attacker to gain full control over the AJP message and bypass authentication, and lead to information disclosure. With this update, such message injections no longer take place.
    • Documented as Resolved Issue
    • NEW

    Description

      Incorporate fix for this CVE by Jean-Frederic Clere (r1836)

      https://home.corp.redhat.com/wiki/jboss-web-cve

      Attachments

        Activity

          People

            jstefl@redhat.com Jan Štefl
            rhn-support-mus Mustafa Musaji
            Eva Kopalova Eva Kopalova (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: