CVE-2011-2196
First published: Fri Jun 10 2011(Updated: )
jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat JBoss Seam 2 Framework | =2.1.2-cr1 | |
| Red Hat JBoss Seam 2 Framework | <=2.2.2 | |
| Red Hat JBoss Seam 2 Framework | =2.0.0-cr1 | |
| Red Hat JBoss Seam 2 Framework | =2.2.0-cr1 | |
| Red Hat JBoss Seam 2 Framework | =2.0.2-ga | |
| JBoss Enterprise Application Platform | =4.3.0 | |
| Red Hat JBoss Seam 2 Framework | =2.0.0-beta1 | |
| Red Hat JBoss Seam 2 Framework | =2.1.0-alpha1 | |
| Red Hat JBoss Seam 2 Framework | =2.1.2-cr2 | |
| JBoss Enterprise Application Platform | =5.1.1 | |
| Red Hat JBoss Seam 2 Framework | =2.1.2 | |
| Red Hat JBoss Seam 2 Framework | =2.0.0-cr3 | |
| Red Hat JBoss Enterprise SOA Platform | =5.1.0 | |
| Red Hat JBoss Seam 2 Framework | =2.1.0-sp1 | |
| Red Hat JBoss Seam 2 Framework | =2.1.0-ga | |
| Red Hat JBoss Seam 2 Framework | =2.1.0-cr1 | |
| Red Hat JBoss Seam 2 Framework | =2.0.2-sp1 | |
| Red Hat JBoss Seam 2 Framework | =2.0.1-ga | |
| Red Hat JBoss Seam 2 Framework | =2.1.1-cr1 | |
| Red Hat JBoss Seam 2 Framework | =2.2.0-ga | |
| Red Hat JBoss Seam 2 Framework | =2.2.1-cr3 | |
| JBoss Enterprise Application Platform | =4.3.0-cp09 | |
| Red Hat JBoss Seam 2 Framework | =2.0.0-cr2 | |
| Red Hat JBoss Seam 2 Framework | =2.0.2-cr1 | |
| Red Hat JBoss Seam 2 Framework | =2.0.1-cr1 | |
| Red Hat JBoss Seam 2 Framework | =2.0.3-cr1 | |
| Red Hat JBoss Seam 2 Framework | =2.1.1-ga | |
| Red Hat JBoss Seam 2 Framework | =2.1.0-beta1 | |
| Red Hat JBoss Seam 2 Framework | =2.0.1-cr2 | |
| Red Hat JBoss Seam 2 Framework | =2.2.1-cr1 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0-cp05 | |
| Red Hat JBoss Seam 2 Framework | =2.2.1 | |
| Red Hat JBoss Enterprise Web Platform | =5.1.1 | |
| Red Hat JBoss Seam 2 Framework | =2.2.1-cr2 | |
| Red Hat JBoss Seam 2 Framework | =2.1.1-cr2 | |
| Red Hat JBoss Seam 2 Framework | =2.0.0-ga | |
| Red Hat JBoss Seam 2 Framework | =2.0.2-cr2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.redhat.com/support/errata/RHSA-2011-0952.html
- http://www.redhat.com/support/errata/RHSA-2011-0946.html
- http://www.redhat.com/support/errata/RHSA-2011-0945.html
- http://www.redhat.com/support/errata/RHSA-2011-0948.html
- http://www.redhat.com/support/errata/RHSA-2011-0947.html
- http://www.securityfocus.com/bid/48716
- http://www.redhat.com/support/errata/RHSA-2011-0951.html
- http://www.redhat.com/support/errata/RHSA-2011-0950.html
- http://www.redhat.com/support/errata/RHSA-2011-0949.html
- https://bugzilla.redhat.com/show_bug.cgi?id=712283
- https://access.redhat.com/security/cve/CVE-2011-1484
- https://rhn.redhat.com/errata/RHSA-2011-0946.html
- https://rhn.redhat.com/errata/RHSA-2011-0948.html
- https://rhn.redhat.com/errata/RHSA-2011-0947.html
- https://rhn.redhat.com/errata/RHSA-2011-0951.html
- https://rhn.redhat.com/errata/RHSA-2011-0950.html
- https://rhn.redhat.com/errata/RHSA-2011-0949.html
- https://rhn.redhat.com/errata/RHSA-2011-0952.html
- https://rhn.redhat.com/errata/RHSA-2011-0945.html
Frequently Asked Questions
What is the severity of CVE-2011-2196?
CVE-2011-2196 is classified as a high severity vulnerability that can lead to potential security breaches in affected JBoss Seam frameworks.
How do I fix CVE-2011-2196?
To fix CVE-2011-2196, you should upgrade to JBoss Seam framework version 2.2.2 or later, or apply the specific patches provided by Red Hat.
Which versions of JBoss Seam are affected by CVE-2011-2196?
CVE-2011-2196 affects JBoss Seam versions 2.2.x and earlier, as well as various versions of the Red Hat JBoss Enterprise Application Platform, SOA Platform, and Web Platform.
What types of attacks can CVE-2011-2196 facilitate?
CVE-2011-2196 can potentially allow attackers to bypass security restrictions, leading to unauthorized access or code execution.
Is there a workaround for CVE-2011-2196?
While upgrading is the best course of action, implementing strict user access controls may serve as a temporary workaround against CVE-2011-2196.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2196
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- vendor/redhat
- canonical/red hat jboss seam 2 framework
- version/red hat jboss seam 2 framework/2.1.2-cr1
- version/red hat jboss seam 2 framework/2.2.2
- version/red hat jboss seam 2 framework/2.0.0-cr1
- version/red hat jboss seam 2 framework/2.2.0-cr1
- version/red hat jboss seam 2 framework/2.0.2-ga
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/4.3.0
- version/red hat jboss seam 2 framework/2.0.0-beta1
- version/red hat jboss seam 2 framework/2.1.0-alpha1
- version/red hat jboss seam 2 framework/2.1.2-cr2
- version/jboss enterprise application platform/5.1.1
- version/red hat jboss seam 2 framework/2.1.2
- version/red hat jboss seam 2 framework/2.0.0-cr3
- canonical/red hat jboss enterprise soa platform
- version/red hat jboss enterprise soa platform/5.1.0
- version/red hat jboss seam 2 framework/2.1.0-sp1
- version/red hat jboss seam 2 framework/2.1.0-ga
- version/red hat jboss seam 2 framework/2.1.0-cr1
- version/red hat jboss seam 2 framework/2.0.2-sp1
- version/red hat jboss seam 2 framework/2.0.1-ga
- version/red hat jboss seam 2 framework/2.1.1-cr1
- version/red hat jboss seam 2 framework/2.2.0-ga
- version/red hat jboss seam 2 framework/2.2.1-cr3
- version/jboss enterprise application platform/4.3.0-cp09
- version/red hat jboss seam 2 framework/2.0.0-cr2
- version/red hat jboss seam 2 framework/2.0.2-cr1
- version/red hat jboss seam 2 framework/2.0.1-cr1
- version/red hat jboss seam 2 framework/2.0.3-cr1
- version/red hat jboss seam 2 framework/2.1.1-ga
- version/red hat jboss seam 2 framework/2.1.0-beta1
- version/red hat jboss seam 2 framework/2.0.1-cr2
- version/red hat jboss seam 2 framework/2.2.1-cr1
- version/red hat jboss enterprise soa platform/4.3.0-cp05
- version/red hat jboss seam 2 framework/2.2.1
- canonical/red hat jboss enterprise web platform
- version/red hat jboss enterprise web platform/5.1.1
- version/red hat jboss seam 2 framework/2.2.1-cr2
- version/red hat jboss seam 2 framework/2.1.1-cr2
- version/red hat jboss seam 2 framework/2.0.0-ga
- version/red hat jboss seam 2 framework/2.0.2-cr2