CVE-2010-3862: Input Validation
First published: Fri Oct 08 2010(Updated: )
The org.jboss.remoting.transport.bisocket.BisocketServerInvoker$SecondaryServerSocketThread.run method in JBoss Remoting 2.2.x before 2.2.3.SP4 and 2.5.x before 2.5.3.SP2 in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 through 4.3.0.CP09, and 5.1.0; and JBoss Enterprise Web Platform (aka JBEWP) 5.1.0; allows remote attackers to cause a denial of service (daemon outage) by establishing a bisocket control connection TCP session, and then not sending any application data.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat JBoss Remoting | =2.2.0 | |
| Red Hat JBoss Remoting | =2.2.2-sp10 | |
| Red Hat JBoss Remoting | =2.2.2-sp11 | |
| Red Hat JBoss Remoting | =2.2.2-sp2 | |
| Red Hat JBoss Remoting | =2.2.2-sp4 | |
| Red Hat JBoss Remoting | =2.2.2-sp7 | |
| Red Hat JBoss Remoting | =2.2.2-sp8 | |
| Red Hat JBoss Remoting | =2.2.3 | |
| Red Hat JBoss Remoting | =2.2.3-sp1 | |
| Red Hat JBoss Remoting | =2.2.3-sp2 | |
| Red Hat JBoss Remoting | =2.2.3-sp3 | |
| JBoss Enterprise Application Platform | =4.3.0 | |
| JBoss Enterprise Application Platform | =4.3.0-cp01 | |
| JBoss Enterprise Application Platform | =4.3.0-cp02 | |
| JBoss Enterprise Application Platform | =4.3.0-cp03 | |
| JBoss Enterprise Application Platform | =4.3.0-cp04 | |
| JBoss Enterprise Application Platform | =4.3.0-cp05 | |
| JBoss Enterprise Application Platform | =4.3.0-cp06 | |
| JBoss Enterprise Application Platform | =4.3.0-cp07 | |
| JBoss Enterprise Application Platform | =4.3.0-cp08 | |
| JBoss Enterprise Application Platform | =4.3.0-cp09 | |
| JBoss Enterprise Application Platform | =5.1.0 | |
| Red Hat JBoss Enterprise Web Platform | =5.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.redhat.com/support/errata/RHSA-2010-0937.html
- http://www.redhat.com/support/errata/RHSA-2010-0938.html
- http://securitytracker.com/id?1024813
- http://www.redhat.com/support/errata/RHSA-2010-0963.html
- http://www.redhat.com/support/errata/RHSA-2010-0961.html
- https://issues.jboss.org/browse/JBREM-1261
- http://www.redhat.com/support/errata/RHSA-2010-0939.html
- http://www.redhat.com/support/errata/RHSA-2010-0960.html
- http://www.redhat.com/support/errata/RHSA-2010-0959.html
- https://issues.jboss.org/browse/JBPAPP-5253
- https://bugzilla.redhat.com/show_bug.cgi?id=641389
- http://www.redhat.com/support/errata/RHSA-2010-0962.html
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=453808&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=453808&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=453810&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=453810&action=edit
- https://rhn.redhat.com/errata/RHSA-2010-0937.html
- https://rhn.redhat.com/errata/RHSA-2010-0938.html
- https://rhn.redhat.com/errata/RHSA-2010-0939.html
- https://access.redhat.com/security/cve/CVE-2010-3862
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=641389#c1
- https://rhn.redhat.com/errata/RHSA-2010-0960.html
- https://rhn.redhat.com/errata/RHSA-2010-0959.html
- https://rhn.redhat.com/errata/RHSA-2010-0961.html
- https://rhn.redhat.com/errata/RHSA-2010-0962.html
- https://rhn.redhat.com/errata/RHSA-2010-0963.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=641389#c15
- https://rhn.redhat.com/errata/RHSA-2010-0964.html
- https://rhn.redhat.com/errata/RHSA-2010-0965.html
Frequently Asked Questions
What is the severity of CVE-2010-3862?
The severity of CVE-2010-3862 is rated as moderate.
How do I fix CVE-2010-3862?
To fix CVE-2010-3862, upgrade JBoss Remoting to version 2.2.3.SP4 or later, and JBoss EAP to version 4.3.0.CP10 or later.
Which versions are affected by CVE-2010-3862?
CVE-2010-3862 affects JBoss Remoting versions prior to 2.2.3.SP4 and JBoss EAP versions from 4.3.0 to 4.3.0.CP09.
What component does CVE-2010-3862 affect?
CVE-2010-3862 specifically affects the BisocketServerInvoker in JBoss Remoting.
Is there a workaround for CVE-2010-3862?
No specific workaround is recommended for CVE-2010-3862; upgrading to a fixed version is the best option.
- collector/nvd-historical
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-3862
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/red hat jboss remoting
- version/red hat jboss remoting/2.2.0
- version/red hat jboss remoting/2.2.2-sp10
- version/red hat jboss remoting/2.2.2-sp11
- version/red hat jboss remoting/2.2.2-sp2
- version/red hat jboss remoting/2.2.2-sp4
- version/red hat jboss remoting/2.2.2-sp7
- version/red hat jboss remoting/2.2.2-sp8
- version/red hat jboss remoting/2.2.3
- version/red hat jboss remoting/2.2.3-sp1
- version/red hat jboss remoting/2.2.3-sp2
- version/red hat jboss remoting/2.2.3-sp3
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/4.3.0
- version/jboss enterprise application platform/4.3.0-cp01
- version/jboss enterprise application platform/4.3.0-cp02
- version/jboss enterprise application platform/4.3.0-cp03
- version/jboss enterprise application platform/4.3.0-cp04
- version/jboss enterprise application platform/4.3.0-cp05
- version/jboss enterprise application platform/4.3.0-cp06
- version/jboss enterprise application platform/4.3.0-cp07
- version/jboss enterprise application platform/4.3.0-cp08
- version/jboss enterprise application platform/4.3.0-cp09
- version/jboss enterprise application platform/5.1.0
- canonical/red hat jboss enterprise web platform
- version/red hat jboss enterprise web platform/5.1.0