The JBoss Seam 2 framework is an application framework for building web
applications in Java.
It was found that the fix for CVE-2011-1484 was incomplete: JBoss Seam 2
did not block access to all malicious JBoss Expression Language (EL)
constructs in page exception handling, allowing arbitrary Java methods to
be executed. A remote attacker could use this flaw to execute arbitrary
code via a specially-crafted URL provided to certain applications based on
the JBoss Seam 2 framework. Note: A properly configured and enabled Java
Security Manager would prevent exploitation of this flaw. (CVE-2011-2196)
Red Hat would like to thank the ObjectWorks+ Development Team at Nomura
Research Institute for reporting this issue.
Users of jboss-seam2 should upgrade to these updated packages, which
correct this issue. Manual action is required for this update to take
effect. Refer to the Solution section for details.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 5 | noarch | jboss-seam2 | < 2.0.2.FP_SEC1-1.ep2.3.el5 | jboss-seam2-2.0.2.FP_SEC1-1.ep2.3.el5.noarch.rpm |
RedHat | 5 | noarch | jboss-seam2-docs | < 2.0.2.FP_SEC1-1.ep2.3.el5 | jboss-seam2-docs-2.0.2.FP_SEC1-1.ep2.3.el5.noarch.rpm |
RedHat | 5 | src | jboss-seam2 | < 2.0.2.FP_SEC1-1.ep2.3.el5 | jboss-seam2-2.0.2.FP_SEC1-1.ep2.3.el5.src.rpm |