Redhat Jboss Enterprise Soa Platform vulnerabilities

CVE-2011-2487 [MEDIUM] CWE-327 CVE-2011-2487: The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache W The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

CVE-2015-7501 [CRITICAL] CWE-502 CVE-2015-7501: Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualiza Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Ha

CVE-2014-3518 [MEDIUM] CWE-94 CVE-2014-3518: jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.

CVE-2013-4210 [MEDIUM] CVE-2013-4210: The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBo The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other products allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors.

CVE-2012-5575 [MEDIUM] CWE-310 CVE-2012-5575: Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify t Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt commu

CVE-2011-1483 [MEDIUM] CVE-2011-1483: wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 d

CVE-2013-2165 [HIGH] CWE-264 CVE-2013-2165: ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framew ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1,

CVE-2011-4605 [HIGH] CWE-264 CVE-2011-4605: The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to

CVE-2011-4085 [MEDIUM] CVE-2011-4085: The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Pl The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnera

CVE-2011-2908 [MEDIUM] CWE-352 CVE-2011-2908: Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitr

CVE-2012-1167 [MEDIUM] CWE-264 CVE-2012-1167: The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the p

CVE-2012-2377 [LOW] CWE-287 CVE-2012-2377: JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5. JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.

CVE-2011-2196 [MEDIUM] CVE-2011-2196: jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Ente jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessage

CVE-2011-1484 [MEDIUM] CWE-264 CVE-2011-1484: jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Ente jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, whic

CVE-2010-3708 [HIGH] CWE-20 CVE-2010-3708: The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (a The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.

CVE-2010-2493 [MEDIUM] CWE-16 CVE-2010-2493: The default configuration of the deployment descriptor (aka web.xml) in picketlink-sts.war in (1) th The default configuration of the deployment descriptor (aka web.xml) in picketlink-sts.war in (1) the security_saml quickstart, (2) the webservice_proxy_security quickstart, (3) the web-console application, (4) the http-invoker application, (5) the gpd-deployer application, (6) the jbpm-console application, (7) the contract application, and (8) the udd

CVE-2010-2474 [LOW] CWE-20 CVE-2010-2474: JBoss Enterprise Service Bus (ESB) before 4.7 CP02 in JBoss Enterprise SOA Platform before 5.0.2 doe JBoss Enterprise Service Bus (ESB) before 4.7 CP02 in JBoss Enterprise SOA Platform before 5.0.2 does not properly consider the security domain with which a service is secured, which might allow remote attackers to gain privileges by executing a service.