CVE-2012-2377
First published: Mon May 21 2012(Updated: )
JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat JBoss Portal | <=5.2.1 | |
| Red Hat JBoss Portal | =4.3.0 | |
| Red Hat JBoss Portal | =4.3.0-cp07 | |
| Red Hat JBoss Portal | =5.0.0 | |
| Red Hat JBoss Portal | =5.0.1 | |
| Red Hat JBoss Portal | =5.1.0 | |
| Red Hat JBoss Portal | =5.1.1 | |
| Red Hat JBoss Portal | =5.2.0 | |
| Red Hat JBoss Enterprise SOA Platform | <=5.2.0 | |
| Red Hat JBoss Enterprise SOA Platform | =4.2.0 | |
| Red Hat JBoss Enterprise SOA Platform | =4.2.0-cp01 | |
| Red Hat JBoss Enterprise SOA Platform | =4.2.0-cp02 | |
| Red Hat JBoss Enterprise SOA Platform | =4.2.0-cp03 | |
| Red Hat JBoss Enterprise SOA Platform | =4.2.0-cp04 | |
| Red Hat JBoss Enterprise SOA Platform | =4.2.0-cp05 | |
| Red Hat JBoss Enterprise SOA Platform | =4.2.0-tp02 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0-cp01 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0-cp02 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0-cp03 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0-cp04 | |
| Red Hat JBoss Enterprise SOA Platform | =4.3.0-cp05 | |
| Red Hat JBoss Enterprise SOA Platform | =5.0.0 | |
| Red Hat JBoss Enterprise SOA Platform | =5.0.1 | |
| Red Hat JBoss Enterprise SOA Platform | =5.0.2 | |
| Red Hat JBoss Enterprise SOA Platform | =5.1.0 | |
| Red Hat JBoss Enterprise SOA Platform | =5.1.1 | |
| Red Hat JBoss Enterprise BRMS Platform | <=5.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2012-1028.html
- http://rhn.redhat.com/errata/RHSA-2012-1125.html
- http://rhn.redhat.com/errata/RHSA-2012-1232.html
- http://rhn.redhat.com/errata/RHSA-2013-0191.html
- http://rhn.redhat.com/errata/RHSA-2013-0192.html
- http://rhn.redhat.com/errata/RHSA-2013-0193.html
- http://rhn.redhat.com/errata/RHSA-2013-0194.html
- http://rhn.redhat.com/errata/RHSA-2013-0195.html
- http://rhn.redhat.com/errata/RHSA-2013-0196.html
- http://rhn.redhat.com/errata/RHSA-2013-0197.html
- http://rhn.redhat.com/errata/RHSA-2013-0198.html
- http://secunia.com/advisories/49669
- http://secunia.com/advisories/50084
- http://secunia.com/advisories/50549
- http://secunia.com/advisories/51984
- http://www.osvdb.org/83085
- http://www.securityfocus.com/bid/54183
- https://bugzilla.redhat.com/show_bug.cgi?id=823392
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76540
Frequently Asked Questions
What is the severity of CVE-2012-2377?
CVE-2012-2377 is categorized as a high severity vulnerability that could allow unauthorized access to sensitive diagnostics information.
How do I fix CVE-2012-2377?
To fix CVE-2012-2377, update your affected JBoss software to the latest version that includes security patches.
What versions are affected by CVE-2012-2377?
CVE-2012-2377 affects several versions of JBoss Enterprise Portal Platform, SOA Platform, and BRMS Platform prior to specified version limits.
What kind of information can be accessed due to CVE-2012-2377?
CVE-2012-2377 allows remote attackers to read sensitive diagnostics information which may aid in further attacks.
Is authentication required for exploiting CVE-2012-2377?
No, CVE-2012-2377 can be exploited without authentication, posing a significant risk to vulnerable systems.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-2377
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/red hat jboss portal
- version/red hat jboss portal/5.2.1
- version/red hat jboss portal/4.3.0
- version/red hat jboss portal/4.3.0-cp07
- version/red hat jboss portal/5.0.0
- version/red hat jboss portal/5.0.1
- version/red hat jboss portal/5.1.0
- version/red hat jboss portal/5.1.1
- version/red hat jboss portal/5.2.0
- canonical/red hat jboss enterprise soa platform
- version/red hat jboss enterprise soa platform/5.2.0
- version/red hat jboss enterprise soa platform/4.2.0
- version/red hat jboss enterprise soa platform/4.2.0-cp01
- version/red hat jboss enterprise soa platform/4.2.0-cp02
- version/red hat jboss enterprise soa platform/4.2.0-cp03
- version/red hat jboss enterprise soa platform/4.2.0-cp04
- version/red hat jboss enterprise soa platform/4.2.0-cp05
- version/red hat jboss enterprise soa platform/4.2.0-tp02
- version/red hat jboss enterprise soa platform/4.3.0
- version/red hat jboss enterprise soa platform/4.3.0-cp01
- version/red hat jboss enterprise soa platform/4.3.0-cp02
- version/red hat jboss enterprise soa platform/4.3.0-cp03
- version/red hat jboss enterprise soa platform/4.3.0-cp04
- version/red hat jboss enterprise soa platform/4.3.0-cp05
- version/red hat jboss enterprise soa platform/5.0.0
- version/red hat jboss enterprise soa platform/5.0.1
- version/red hat jboss enterprise soa platform/5.0.2
- version/red hat jboss enterprise soa platform/5.1.0
- version/red hat jboss enterprise soa platform/5.1.1
- canonical/red hat jboss enterprise brms platform
- version/red hat jboss enterprise brms platform/5.2.0