Added: 10/23/2013
CVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>)
BID: [62854](<http://www.securityfocus.com/bid/62854>)
OSVDB: [97153](<http://www.osvdb.org/97153>)
### Background
McAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing.
### Problem
McAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111.
### Resolution
Contact the vendor for a solution.
### References
<http://secunia.com/advisories/55112/>
<http://retrogod.altervista.org/9sg_ejb.html>
### Limitations
This exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut).
### Platforms
Windows
{"id": "SAINT:88A58EBA93902ACCCFD4D15339D739F8", "vendorId": null, "type": "saint", "bulletinFamily": "exploit", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-10-23T00:00:00", "modified": "2013-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2013-4810"], "immutableFields": [], "lastseen": "2021-07-29T16:40:17", "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:042526B3-4F4D-49D3-A3D1-B483FB66CF4C"]}, {"type": "cve", "idList": ["CVE-2013-4810"]}, {"type": "nessus", "idList": ["JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103811"]}, {"type": "saint", "idList": ["SAINT:73B78E4CC6A84900DDFE755805A5092F", "SAINT:C4CE6EE786263B63DE8534C3A7C9A1ED", "SAINT:F331FA17751309C5BD461AF4E8A90312"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29808", "SECURITYVULNS:DOC:30182", "SECURITYVULNS:VULN:13282", "SECURITYVULNS:VULN:13501"]}, {"type": "thn", "idList": ["THN:8573602ED2B18F90AC04D8BA8D25E682"]}, {"type": "threatpost", "idList": ["THREATPOST:7E20261F9330304969941B4755E98BAA"]}, {"type": "zdi", "idList": ["ZDI-13-229"]}]}, "score": {"value": 1.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-4810"]}, {"type": "nessus", "idList": ["JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103811"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13282"]}, {"type": "threatpost", "idList": ["THREATPOST:7E20261F9330304969941B4755E98BAA"]}, {"type": "zdi", "idList": ["ZDI-13-229"]}]}, "exploitation": null, "vulnersScore": 1.8}, "_state": {"dependencies": 1659965596, "score": 1659919836}, "_internal": {"score_hash": "91baa61c25fc0cf5185bd0204458d148"}}
{"saint": [{"lastseen": "2021-07-28T14:33:22", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "saint", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2013-10-23T00:00:00", "id": "SAINT:F331FA17751309C5BD461AF4E8A90312", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:59", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "saint", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-4810"], "modified": "2013-10-23T00:00:00", "id": "SAINT:73B78E4CC6A84900DDFE755805A5092F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-01-26T11:36:34", "description": "Added: 10/23/2013 \nCVE: [CVE-2013-4810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4810>) \nBID: [62854](<http://www.securityfocus.com/bid/62854>) \nOSVDB: [97153](<http://www.osvdb.org/97153>) \n\n\n### Background\n\nMcAfee Web Reporter analyzes logs from a variety of proxy sources to provide real-time views into web traffic, including extensive drill-down capabilities and powerful off-line processing. \n\n### Problem\n\nMcAfee Web Reporter is vulnerable to remote code execution due to embedding a vulnerable version of JBoss. The vulnerability is due to the application not properly restricting access to the invoker/EJBInvokerServlet which can be exploited to deploy and execute arbitray Java code by sending a specially crafted marshalled object to TCP port 9111. \n\n### Resolution\n\nContact the vendor for a solution. \n\n### References\n\n<http://secunia.com/advisories/55112/> \n<http://retrogod.altervista.org/9sg_ejb.html> \n\n\n### Limitations\n\nThis exploit was tested against McAfee Web Reporter 5.2.1 on Windows Server 2008 R2 SP1 (DEP OptOut). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-10-23T00:00:00", "type": "saint", "title": "McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2013-10-23T00:00:00", "id": "SAINT:C4CE6EE786263B63DE8534C3A7C9A1ED", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/mcafee_web_reporter_jboss_ejbinvokerservlet", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2017-01-08T18:01:12", "description": "[](<http://2.bp.blogspot.com/-xGy919BMJkM/Uo4h1tgpTyI/AAAAAAAAY5U/Kd9_6rKnQHw/s1600/Critical+vulnerability+in+JBoss+Application+Servers+enables+remote+Shell.png>)\n\n[Cyber security](<http://thehackernews.com/search/label/cyber%20security>) of many organizations being attacked at an extremely high rate this month, well another alarming cyber crime report become public today.\n\n \n\n\nA widely unpatched and two years old critical [vulnerability](<http://thehackernews.com/search/label/Vulnerability>) in JBoss Application Server (AS) that enable an attacker to remotely get a shell on a vulnerable web server.\n\nJBoss Application Server is an open-source Java EE-based application server very popular, it was designed by JBoss, now a division of Red Hat. In late 2012, JBoss AS was named as \"_wildFly_\", since disclosure of the [exploit code](<http://thehackernews.com/search/label/exploit>) many products running the affected JBoss Application Server have been impacted, including some security software.\n\n \n\n\nTens of thousands of enterprise data center servers are vulnerable to this attack, with at least 500 actively compromised, according to the Imperva report. Many systems administrators have yet to properly configure their servers to mitigate the threat, and the number of potential targets has increased over time, making the exploit even more attractive to attackers.\n\n \n\n\nThe number of infections has surged since exploit code called **_pwn.jsp_** was publicly disclosed i.e. October 4th.** pwn.jsp** shell isn't the unique exploit available, Imperva\u2019s Barry Shteiman confirmed the availability of another more sophisticated shell available to attackers. \n\n> \u201c_In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities_,\u201d\n\nA number of Government and Education related websites have been hacked, exploiting the JBoss Application Server vulnerability, where an attacker can obtain a remote shell access on the target system to inject code into a website hosted on the server or steal files stored on the machine.\n\n> \"_The vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server. Once the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that Application Server._\"\n\nImperva researchers demonstrated that JBoss AS is vulnerable to _[remote command execution](<http://thehackernews.com/search/label/remote%20code%20execution>) _via the \u2018_HTTP Invoker_\u2019 service that provides Remote Method Invocation (RMI) /HTTP access to Enterprise Java Beans (EJB).\n\n \n\n\nThe Invoker improperly exposes the management interface, \"_Jboss Application Server is vulnerable to remote command execution via the \u2018HTTP Invoker\u2019 service that provides Remote Method Invocation (RMI) /HTTP access to Enterprise Java Beans (EJB)_\".\n\n \n\n\nOn Sept. 16th, the National Vulnerability Database issued an advisory warning of a critical remote code execution bug affecting HP ProCurve Manager, it's assigned to the flaw the Common Vulnerability Enumeration code **_[CVE-2013-4810](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4810>)_** and on October 4th 2013, a security researcher has disclosed the code of an exploit for the JBoss Application Server vulnerability.\n\n \n\n\nAs consequence the security community had witnessed a surge in Jboss AS hacking, the malicious traffic originated from the compromised servers was detected by Imperva\u2019s honey pots.\n\n \n\n\nIn a few weeks an exploit was added to _[exploit-db](<http://www.exploit-db.com/exploits/28713/>)_ that successfully gained shell against a product running **JBoss 4.0.5**.\n\n \n\n\nImperva confirmed that the number of web servers running Jboss Application Server exposing management interfaces has tripled since the initial vulnerability research was public disclosed passing from 7,000 to 23,000.\n\n \n\n\nI have just run the following Google Dork retrieving more than 17000 results:\n\n> _intitle:\u201dJBoss Management Console \u2013 Server Information\u201d \u201capplication server\u201d inurl:\u201dweb-console\u201d OR inurl:\u201djmx-console\u201d_\n\n[](<http://3.bp.blogspot.com/-73eMvUVgFOQ/Uo4gzZ5AMKI/AAAAAAAAY5M/tubiO2mjQ1U/s1600/Critical+vulnerability+in+JBoss+Application+Servers+enables+remote+Shell.png>)\n\nIt is possible to note that Google reconnaissance enables the attacker to identify also governmental and educational websites, some of them also result infected. \n\n> \"_Many of the deployed web shells utilize the original pwn.jsp shell code that was presented with the original exploit, as can be seen in a [blog entry](<http://nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html>) posted by one of the attack\u2019s victims. In other cases a more powerful web shell was deployed. In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities._\"\n\nThe concerning aspect of the story is that once again on a two-year-old vulnerability could be easily exploited to compromise a huge quantity of information, the situation is analogue to the [Silverlight](<http://securityaffairs.co/wordpress/19843/hacking/microsoft-silverlight-5-flaw.html>) flaw that manages users of Netflix, the provider of on-demand Internet streaming media.\n", "cvss3": {}, "published": "2013-11-21T04:13:00", "type": "thn", "title": "Two-year-old vulnerability in JBoss Application Servers enables Remote Shell for Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-4810"], "modified": "2013-11-21T15:16:59", "id": "THN:8573602ED2B18F90AC04D8BA8D25E682", "href": "http://thehackernews.com/2013/11/Vulnerability-JBoss-Application-Servers-exploit-code.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2022-01-31T21:01:23", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP PCM Plus and Application Lifecycle Management. Authentication is not required to exploit this vulnerability. The specific flaw exists within the exposed EJBInvokerServlet and JMXInvokerServlet. An unauthenticated attacker can post a marshalled object allowing them to install an arbitrary application on the target server. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user in HP PCM Plus and with administrative privileges on Application Lifecycle Management.", "cvss3": {}, "published": "2013-09-11T00:00:00", "type": "zdi", "title": "HP PCM+ and Application Lifecycle Management JBoss Invoker Servlets Marshalled Object Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2013-09-11T00:00:00", "id": "ZDI-13-229", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-229/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:59:47", "description": "Attackers are exploiting a two-year-old vulnerability in JBoss Application Servers that enables a hacker to remotely get a shell on a vulnerable webserver. The number of infections has surged since[ exploit code called pwn.jsp](<http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html>) was publicly disclosed Oct. 4.\n\nResearchers at Imperva said that a number of government and education websites have been compromised, as indicated by data collected through the company\u2019s honeypots. An attacker with remote shell access can inject code into a website run by the server or hunt and peck for files stored on the machine and extract them.\n\nThe vulnerability in the HTTP Invoker service that provides RMI/HTTP access to Enterprise Java Beans, was discovered in 2011 and presented at a number of security events that year.\n\n\u201cThe vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server,\u201d said Imperva\u2019s Barry Shteiman. \u201cOnce the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that application server.\u201d\n\nOn Sept. 16, the National Vulnerability Database issued an [advisory](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4810>) warning of a remote code execution bug affecting HP ProCurve Manager, network management software. The vulnerability was given the NVD\u2019s highest criticality ranking of 10. Since then, other products running the affected JBoss Application Server have been identified, including some security software.\n\nWithin three weeks, an exploit was added to [exploit-db](<http://www.exploit-db.com/exploits/28713/>) that successfully gained shell against a product running JBoss 4.0.5.\n\n\u201cImmediately thereafter, we had witnessed a surge in JBoss hacking, which manifested in malicious traffic originating from the infected servers and observed in Imperva\u2019s honeypot array,\u201d Shteiman said.\n\nAccording to Imperva\u2019s analysis, the vulnerability lies in the Invoker service, which operates at the remote management level enabling applications to access the server. The Invoker improperly exposes the management interface, Shteiman said.\n\nCompounding the problem is that in addition to the pwn.jsp shell, Shteiman said there is another more sophisticated shell available to attackers.\n\n\u201cIn these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities,\u201d he said.\n\nImperva also said that the number of webservers running JBoss software has tripled since the initial vulnerability research was made public.\n", "cvss3": {}, "published": "2013-11-19T16:07:59", "type": "threatpost", "title": "JBoss AS Attacks Up Since Exploit Code Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-4810"], "modified": "2013-11-21T15:18:24", "id": "THREATPOST:7E20261F9330304969941B4755E98BAA", "href": "https://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "HP ProCurve Manager (PCM), PCM+, Identity Driven Manager (IDM), and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet.", "cvss3": {}, "published": "2022-03-25T00:00:00", "type": "cisa_kev", "title": "HP Multiple Products Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4810"], "modified": "2022-03-25T00:00:00", "id": "CISA-KEV-CVE-2013-4810", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-08T11:04:12", "description": "Apache Tomcat/JBoss Application Server is prone to multiple remote code-\n execution vulnerabilities.", "cvss3": {}, "published": "2013-10-15T00:00:00", "type": "openvas", "title": "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4810", "CVE-2012-0874"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310103811", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103811", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103811\");\n script_bugtraq_id(57552, 62854);\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2012-0874\", \"CVE-2013-4810\");\n script_name(\"Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-10-15 10:27:36 +0200 (Tue, 15 Oct 2013)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-229/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/57552\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/62854\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/28713/\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/30211\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting these issues may allow an attacker to execute\n arbitrary code within the context of the affected application. Failed\n exploit attempts may result in a denial-of-service condition.\");\n\n script_tag(name:\"vuldetect\", value:\"Determine if the EJBInvokerServlet and/or JMXInvokerServlet is accessible without authentication.\");\n\n script_tag(name:\"insight\", value:\"The specific flaw exists within the exposed EJBInvokerServlet and JMXInvokerServlet. An unauthenticated\n attacker can post a marshalled object allowing them to install an arbitrary application on the target server.\");\n\n script_tag(name:\"solution\", value:\"Ask the Vendor for an update and enable authentication for the mentioned servlets.\");\n\n script_tag(name:\"summary\", value:\"Apache Tomcat/JBoss Application Server is prone to multiple remote code-\n execution vulnerabilities.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat/JBoss Application Server providing access to the EJBInvokerServlet and/or JMXInvokerServlet\n without prior authentication.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port(default:9200);\n\nreport = 'The following Servlets are accessible without authentication which indicates that a RCE attack can be executed:\\n';\n\nforeach file(make_list(\"/EJBInvokerServlet\", \"/JMXInvokerServlet\")) {\n\n url = \"/invoker\" + file;\n req = http_get(item:url, port:port);\n buf = http_send_recv(port:port, data:req);\n\n if(buf =~ \"^HTTP/1\\.[01] 200\" &&\n \"404\" >!< buf &&\n \"org.jboss.invocation.MarshalledValue\" >< buf &&\n \"x-java-serialized-object\" >< buf &&\n \"WWW-Authenticate\" >!< buf) {\n\n report += '\\n' + http_report_vuln_url(port:port, url:url, url_only:TRUE);\n VULN = TRUE;\n }\n}\n\nif(VULN) {\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-16T14:16:23", "description": "The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :\n\n - A security bypass vulnerability exists due to improper restriction of access to the console and web management interfaces. An unauthenticated, remote attacker can exploit this, via direct requests, to bypass authentication and gain administrative access.\n (CVE-2007-1036)\n\n - A remote code execution vulnerability exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. An unauthenticated, remote attacker can exploit this to bypass authentication and invoke MBean methods, resulting in the execution of arbitrary code.\n (CVE-2012-0874)\n\n - A remote code execution vulnerability exists in the EJBInvokerServlet and JMXInvokerServlet servlets due to the ability to post a marshalled object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to install arbitrary applications. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier.\n (CVE-2013-4810)", "cvss3": {"score": null, "vector": null}, "published": "2013-10-14T00:00:00", "type": "nessus", "title": "Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-1036", "CVE-2012-0874", "CVE-2013-4810"], "modified": "2022-03-28T00:00:00", "cpe": ["cpe:/a:hp:procurve_manager", "cpe:/a:hp:application_lifecycle_management", "cpe:/a:hp:identity_driven_manager", "cpe:/a:redhat:jboss_enterprise_web_platform", "cpe:/a:redhat:jboss_enterprise_application_platform", "cpe:/a:redhat:jboss_enterprise_brms_platform", "cpe:/a:redhat:jboss_enterprise_application_platform", "cpe:/a:jboss:jboss_application_server", "cpe:/a:symantec:workspace_streaming"], "id": "JMXINVOKERSERVLET_EJBINVOKERSERVLET_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/70414", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70414);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/28\");\n\n script_cve_id(\"CVE-2007-1036\", \"CVE-2012-0874\", \"CVE-2013-4810\");\n script_bugtraq_id(57552, 62854, 77037);\n script_xref(name:\"CERT\", value:\"632656\");\n script_xref(name:\"EDB-ID\", value:\"16318\");\n script_xref(name:\"EDB-ID\", value:\"21080\");\n script_xref(name:\"EDB-ID\", value:\"28713\");\n script_xref(name:\"EDB-ID\", value:\"30211\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-229\");\n script_xref(name:\"HP\", value:\"HPSBGN02952\");\n script_xref(name:\"HP\", value:\"SSRT101127\");\n script_xref(name:\"HP\", value:\"emr_na-c04041110\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on\nthe web server on the remote host are accessible to unauthenticated\nusers. The remote host is, therefore, affected by the following\nvulnerabilities :\n\n - A security bypass vulnerability exists due to improper\n restriction of access to the console and web management\n interfaces. An unauthenticated, remote attacker can\n exploit this, via direct requests, to bypass\n authentication and gain administrative access.\n (CVE-2007-1036)\n\n - A remote code execution vulnerability exists due to the\n JMXInvokerHAServlet and EJBInvokerHAServlet invoker\n servlets not properly restricting access to profiles. An\n unauthenticated, remote attacker can exploit this to\n bypass authentication and invoke MBean methods,\n resulting in the execution of arbitrary code.\n (CVE-2012-0874)\n\n - A remote code execution vulnerability exists in the\n EJBInvokerServlet and JMXInvokerServlet servlets due to\n the ability to post a marshalled object. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted request, to install arbitrary\n applications. Note that this issue is known to affect\n McAfee Web Reporter versions prior to or equal to\n version 5.2.1 as well as Symantec Workspace Streaming\n version 7.5.0.493 and possibly earlier.\n (CVE-2013-4810)\");\n # https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74979c27\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-229/\");\n # https://web.archive.org/web/20131031213751/http://retrogod.altervista.org/9sg_ejb.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52567bc1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Oct/126\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/530241/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using EMC Data Protection Advisor, either upgrade to version 6.x or\napply the workaround for 5.x. \n\nOtherwise, contact the vendor or remove any affected JBoss servlets.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-4810\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'JBoss JMX Console Deployer Upload and Execute');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-13-606\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:procurve_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:application_lifecycle_management\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:identity_driven_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_web_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_application_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_brms_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_application_platform\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jboss:jboss_application_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:workspace_streaming\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 9111, 8080, 9832);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n# Identify possible ports.\n#\n# - web servers.\nports = get_kb_list(\"Services/www\");\nif (isnull(ports)) ports = make_list();\n\n# - ports for McAfee Web Reporter and Symantec Workspace Streaming.\nforeach p (make_list(8080, 9111, 9832))\n{\n if (service_is_unknown(port:p)) ports = add_port_in_list(list:ports, port:p);\n}\n\n# Check each port.\nnon_vuln = make_list();\n\nforeach port (ports)\n{\n vuln_urls = make_list();\n\n foreach page (make_list(\"/EJBInvokerServlet\", \"/JMXInvokerServlet\"))\n {\n url = \"/invoker\" + page;\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n fetch404 : TRUE\n );\n\n if (\n !isnull(res) &&\n \"org.jboss.invocation.MarshalledValue\" >< res[2] &&\n (\n 'WWW-Authenticate: Basic realm=\"JBoss HTTP Invoker\"' >!< res[1] ||\n \"404 Not Found\" >!< res[1]\n )\n ) vuln_urls = make_list(vuln_urls, build_url(qs:url, port:port));\n }\n\n if (max_index(vuln_urls) > 0)\n {\n if (max_index(vuln_urls) > 1) request = \"URLs\";\n else request = \"URL\";\n\n if (report_verbosity > 0)\n {\n report =\n '\\n' +'Nessus was able to verify the issue exists using the following '+\n '\\n' + request + ' :' +\n '\\n' +\n '\\n' + join(vuln_urls, sep:'\\n') + '\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n }\n else non_vuln = make_list(non_vuln, port);\n}\n\nif (max_index(non_vuln) == 1) exit(0, \"The web server tested on port \" + port + \" is not affected.\");\nelse if (max_index(non_vuln) > 1) exit(0, \"None of the ports tested (\" +join(non_vuln, sep:\", \")+ \") contain web servers that are affected.\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-06-29T04:59:45", "description": "HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2013-09-16T00:00:00", "type": "attackerkb", "title": "CVE-2013-4810", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1036", "CVE-2010-0738", "CVE-2012-0874", "CVE-2013-4810"], "modified": "2020-06-05T00:00:00", "id": "AKB:042526B3-4F4D-49D3-A3D1-B483FB66CF4C", "href": "https://attackerkb.com/topics/ku1plIvfwG/cve-2013-4810", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:53:22", "description": "HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.", "cvss3": {}, "published": "2013-09-16T13:01:00", "type": "cve", "title": "CVE-2013-4810", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1036", "CVE-2010-0738", "CVE-2012-0874", "CVE-2013-4810"], "modified": "2017-10-05T01:29:00", "cpe": ["cpe:/a:hp:application_lifecycle_management:-", "cpe:/a:hp:identity_driven_manager:4.0", "cpe:/a:hp:procurve_manager:4.0", "cpe:/a:hp:procurve_manager:3.20"], "id": "CVE-2013-4810", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4810", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:plus:*:*", "cpe:2.3:a:hp:identity_driven_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:application_lifecycle_management:-:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:procurve_manager:3.20:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T19:10:16", "description": "Crossite scripting, code execution.", "edition": 2, "cvss3": {}, "published": "2014-01-08T00:00:00", "title": "HP ProCurve Manager multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "modified": "2014-01-08T00:00:00", "id": "SECURITYVULNS:VULN:13501", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13501", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:58:44", "description": "Code execution, session reusage, SQL injection.", "edition": 2, "cvss3": {}, "published": "2013-09-11T00:00:00", "title": "HP ProCurve Manager, HP Identity Driven Manager multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "modified": "2013-09-11T00:00:00", "id": "SECURITYVULNS:VULN:13282", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13282", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:50", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03897409\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03897409\r\nVersion: 2\r\n\r\nHPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven\r\nManager (IDM), SQL Injection, Remote Code Execution, Session Reuse\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-10-15\r\nLast Updated: 2013-10-15\r\n\r\nPotential Security Impact: SQL injection, remote code execution, session\r\nreuse\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP ProCurve\r\nManager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These\r\nvulnerabilities could be exploited remotely to allow SQL injection, remote\r\ncode execution and session reuse.\r\n\r\nReferences: CVE-2005-2572 (SSRT101272)\r\nCVE-2013-4809 (ZDI-CAN-1744, SSRT101132)\r\nCVE-2013-4810 (ZDI-CAN-1760, SSRT101127)\r\nCVE-2013-4811 (ZDI-CAN-1743, SSRT101116)\r\nCVE-2013-4812 (ZDI-CAN-1742, SSRT101115)\r\nCVE-2013-4813 (ZDI-CAN-1745, SSRT101129)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP ProCurve Manager (PCM) v3.x, v3.20, v4.0\r\nHP PCM+ v3.20, v4.0\r\nHP Identity Driven Manager (IDM) v4.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4811 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4812 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4813 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2005-2572 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nHP's Zero Day Initiative to report CVE-2013-4809, CVE-2013-4810,\r\nCVE-2013-4811, CVE-2013-4812 and CVE-2013-4813 to security-alert@hp.com\r\n\r\nRESOLUTION\r\n\r\nHP has provided updated software to resolve these issues. Please used the\r\nAutoUpdate feature of PCM.\r\n\r\nNote about CVE-2005-2572 and PCM v3.X: To address CVE-2005-2572 on PCMv3, a\r\nseparate security tool must be run. This security tool can be found as\r\nfollows. Browse to the HP Networking Support Lookup Tool\r\nhttp://www.hp.com/networking/support :\r\n\r\nEnter a PCM v3.x product number, such as J9173A, J9174A, J9175A, or J9176A\r\ninto the "Auto Search" text box\r\nCheck the appropriate product\r\nPress "Display Selected"\r\nClick "Software Downloads"\r\nIn the "Other" section, there will be a "Security Tools" download which\r\ncontains a zip file with several executables.\r\nTo protect your PCM v3.x installation, use the pcm320-DB-restrict tool. There\r\nare 32bit and 64bit versions available. Please read the release notes\r\nincluded in the Security Tool download.\r\nIMPORTANT: If you will be updating a protected PCM v3 installation to PCM v4,\r\nyou will need to run the pcm320-DB-unrestrict utility prior to updating.\r\n\r\nProduct and Potential Vulnerability\r\n Resolution\r\n HP Branded Products Impacted\r\n\r\nHP IDM v4.00 (CVE-2013-4809, CVE-2013-4810, CVE-2013-4811, CVE-2013-4812)\r\n HP PCM v4.00 AutoUpdate #6 04.00.06.628\r\n J9752A HP PCM+ Identity Driven Manager v4 Software Module with 500-user\r\nLicense\r\n\r\nJ9753A HP PCM+ Identity Driven Manager v4 Software Module with Unlimited-user\r\nLicense\r\n\r\nHP PCM v3.20, HP PCM v4.00 (CVE-2013-4813)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n\r\nHP PCM v3.20 AutoUpdate #8 C.03.20.1741\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nJ9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHP PCM v4.00 ( CVE-2005-2572)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nHP PCM v3.x ( CVE-2005-2572)\r\n HP PCM v3.x see Resolution text above.\r\n J9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 September 2013 Initial release\r\nVersion:2 (rev.2) - 15 October 2013 Added PCM v3\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlJdvz4ACgkQ4B86/C0qfVmLhwCghN6a1Opqqcbd3dLqlnnfQWci\r\nUR8AoIhyX+Ht4By5+4v503IdvTZKcaWg\r\n=3nFW\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "cvss3": {}, "published": "2014-01-08T00:00:00", "title": "[security bulletin] HPSBPV02918 rev.2 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "modified": "2014-01-08T00:00:00", "id": "SECURITYVULNS:DOC:30182", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30182", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:49", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03897409\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03897409\r\nVersion: 1\r\n\r\nHPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven\r\nManager (IDM), SQL Injection, Remote Code Execution, Session Reuse\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-09-09\r\nLast Updated: 2013-09-09\r\n\r\nPotential Security Impact: SQL injection, remote code execution, session\r\nreuse\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP ProCurve\r\nManager (PCM), HP PCM+ and HP Identity Driven Manager (IDM). These\r\nvulnerabilities could be exploited remotely to allow SQL injection, remote\r\ncode execution and session reuse.\r\n\r\nReferences: CVE-2005-2572 (SSRT101272)\r\nCVE-2013-4809 (ZDI-CAN-1744, SSRT101132)\r\nCVE-2013-4810 (ZDI-CAN-1760, SSRT101127)\r\nCVE-2013-4811 (ZDI-CAN-1743, SSRT101116)\r\nCVE-2013-4812 (ZDI-CAN-1742, SSRT101115)\r\nCVE-2013-4813 (ZDI-CAN-1745, SSRT101129)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP ProCurve Manager (PCM) v3.20, v4.0\r\nHP PCM+ v3.20, v4.0\r\nHP Identity Driven Manager (IDM) v4.0\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4811 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4812 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2013-4813 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2005-2572 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nHP's Zero Day Initiative to report CVE-2013-4809, CVE-2013-4810,\r\nCVE-2013-4811, CVE-2013-4812 and CVE-2013-4813 to security-alert@hp.com\r\n\r\nRESOLUTION\r\n\r\nHP has provided updated software to resolve these issues. Please used the\r\nAutoUpdate feature of PCM. Product and Potential Vulnerability\r\n Resolution\r\n HP Branded Products Impacted\r\n\r\nHP IDM v4.00 (CVE-2013-4809, CVE-2013-4810, CVE-2013-4811, CVE-2013-4812)\r\n HP PCM v4.00 AutoUpdate #6 04.00.06.628\r\n J9752A HP PCM+ Identity Driven Manager v4 Software Module with 500-user\r\nLicense\r\n\r\nJ9753A HP PCM+ Identity Driven Manager v4 Software Module with Unlimited-user\r\nLicense\r\n\r\nHP PCM v3.20, HP PCM v4.00 (CVE-2013-4813)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n\r\nHP PCM v3.20 AutoUpdate #8 C.03.20.1741\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nJ9173A HP ProCurve Manager Plus 3.0 50 device license upgrade\r\n\r\nJ9174A HP ProCurve Manager Plus 3.0 software with 50 device license\r\n\r\nJ9176A HP ProCurve Manager Plus 3.0 unlimited device license upgrade\r\n\r\nJ9177A HP ProCurve Manager Plus 3.0 software with unlimited device license\r\n\r\nHP PCM v4.00 ( CVE-2005-2572)\r\n HP PCM v4.00 AutoUpdate #5 04.00.05.612\r\n J9755A HP PCM+ v4 Software Platform with 50-device License\r\n\r\nJ9757A HP PCM+ v4 Software Platform with Unlimited-device License\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 September 2013 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlIuBgcACgkQ4B86/C0qfVlvcwCggBleIQ2jJ5kVsOs0jnnfN0nJ\r\njqkAnjs4Po+SPJx4rm+WXolFai2juOmy\r\n=5yU4\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2013-09-11T00:00:00", "title": "[security bulletin] HPSBPV02918 rev.1 - HP ProCurve Manager (PCM), HP PCM+ and HP Identity Driven Manager (IDM), SQL Injection, Remote Code Execution, Session Reuse", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-2572", "CVE-2013-4810", "CVE-2013-4811", "CVE-2013-4809", "CVE-2013-4813", "CVE-2013-4812"], "modified": "2013-09-11T00:00:00", "id": "SECURITYVULNS:DOC:29808", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29808", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
McAfee Web Reporter JBoss EJBInvokerServlet Marshalled Object Code Execution
