CVE-2013-2165

Current Description

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.

Evaluator Description

Per: http://www.bleathem.ca/blog/2013/07/richfaces-CVE-2013-2165.html"Download RichFaces 3.3.4.Final or RichFaces 4.3.3.Final and use them in your applications to protect yourself from this vulnerability."

Referenced by CVEs:CVE-2013-4521

Basic Data

PublishedJuly 23, 2013
Last ModifiedMarch 09, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatJboss Enterprise Application Platform4.3.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform4.3.0cp10******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.0.1*******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.1.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.1.1*******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.1.2*******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.2.0*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.0.1*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.0.2*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.1.0*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.2.0*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.3.0*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.3.1*******
    2.3ApplicationRedhatJboss Enterprise Portal Platform4.3.0cp03******
    2.3ApplicationRedhatJboss Enterprise Portal Platform4.3.0cp04******
    2.3ApplicationRedhatJboss Enterprise Portal Platform4.3.0cp05******
    2.3ApplicationRedhatJboss Enterprise Portal Platform4.3.0cp06******
    2.3ApplicationRedhatJboss Enterprise Portal Platform4.3.0cp07******
    2.3ApplicationRedhatJboss Enterprise Portal Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Portal Platform5.0.1*******
    2.3ApplicationRedhatJboss Enterprise Portal Platform5.1.0*******
    2.3ApplicationRedhatJboss Enterprise Portal Platform5.1.1*******
    2.3ApplicationRedhatJboss Enterprise Portal Platform5.2.0*******
    2.3ApplicationRedhatJboss Enterprise Portal Platform5.2.1*******
    2.3ApplicationRedhatJboss Enterprise Portal Platform5.2.2*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0cp01******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0cp02******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0cp03******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0cp04******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0cp05******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.2.0tp02******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.3.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.3.0cp01******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.3.0cp02******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.3.0cp03******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.3.0cp04******
    2.3ApplicationRedhatJboss Enterprise Soa Platform4.3.0cp05******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.0.1*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.0.2*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.1.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.1.1*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.2.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.3.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.3.1*******
    2.3ApplicationRedhatJboss Enterprise Web Platform5.1.0*******
    2.3ApplicationRedhatJboss Enterprise Web Platform5.1.1*******
    2.3ApplicationRedhatJboss Enterprise Web Platform5.1.2*******
    2.3ApplicationRedhatJboss Enterprise Web Platform5.2.0*******
    2.3ApplicationRedhatJboss Operations Network1.0.0*******
    2.3ApplicationRedhatJboss Operations Network2.0.0*******
    2.3ApplicationRedhatJboss Operations Network2.0.1*******
    2.3ApplicationRedhatJboss Operations Network2.1.0*******
    2.3ApplicationRedhatJboss Operations Network2.2*******
    2.3ApplicationRedhatJboss Operations Network2.3*******
    2.3ApplicationRedhatJboss Operations Network2.3.1*******
    2.3ApplicationRedhatJboss Operations Network2.4*******
    2.3ApplicationRedhatJboss Operations Network2.4.1*******
    2.3ApplicationRedhatJboss Operations Network2.4.2*******
    2.3ApplicationRedhatJboss Operations Network3.0*******
    2.3ApplicationRedhatJboss Operations Network3.0.1*******
    2.3ApplicationRedhatJboss Operations Network3.1*******
    2.3ApplicationRedhatJboss Operations Network3.1.1*******
    2.3ApplicationRedhatJboss Operations Network3.1.2*******
    2.3ApplicationRedhatJboss Web Framework Kit1.0.0*******
    2.3ApplicationRedhatJboss Web Framework Kit1.1.0*******
    2.3ApplicationRedhatJboss Web Framework Kit1.2.0*******
    2.3ApplicationRedhatJboss Web Framework Kit2.0.0*******
    2.3ApplicationRedhatJboss Web Framework Kit2.1.0*******
    2.3ApplicationRedhatJboss Web Framework Kit********2.2.0
    2.3ApplicationRedhatRichfaces3.1.0*******
    2.3ApplicationRedhatRichfaces3.1.1*******
    2.3ApplicationRedhatRichfaces3.1.2*******
    2.3ApplicationRedhatRichfaces3.1.3*******
    2.3ApplicationRedhatRichfaces3.1.4*******
    2.3ApplicationRedhatRichfaces3.1.5*******
    2.3ApplicationRedhatRichfaces3.1.6*******
    2.3ApplicationRedhatRichfaces3.2.0*******
    2.3ApplicationRedhatRichfaces3.2.0sr1******
    2.3ApplicationRedhatRichfaces3.2.1*******
    2.3ApplicationRedhatRichfaces3.2.2*******
    2.3ApplicationRedhatRichfaces3.3.0*******
    2.3ApplicationRedhatRichfaces3.3.1*******
    2.3ApplicationRedhatRichfaces3.3.2*******
    2.3ApplicationRedhatRichfaces3.3.2sr1******
    2.3ApplicationRedhatRichfaces3.3.3*******
    2.3ApplicationRedhatRichfaces4.0.0*******
    2.3ApplicationRedhatRichfaces4.1.0*******
    2.3ApplicationRedhatRichfaces4.2.0*******
    2.3ApplicationRedhatRichfaces4.2.1*******
    2.3ApplicationRedhatRichfaces4.2.2*******
    2.3ApplicationRedhatRichfaces4.2.3*******
    2.3ApplicationRedhatRichfaces4.3.0*******
    2.3ApplicationRedhatRichfaces4.3.1*******
    2.3ApplicationRedhatRichfaces4.5.0alpha1******
    2.3ApplicationRedhatRichfaces5.0.0alpha1******

Vulnerable Software List

VendorProductVersions
Redhat Jboss Enterprise Application Platform 4.3.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0
Redhat Jboss Web Framework Kit *, 1.0.0, 1.1.0, 1.2.0, 2.0.0, 2.1.0
Redhat Richfaces 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.5.0, 5.0.0
Redhat Jboss Enterprise Portal Platform 4.3.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2
Redhat Jboss Enterprise Brms Platform 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.3.0, 5.3.1
Redhat Jboss Operations Network 1.0.0, 2.0.0, 2.0.1, 2.1.0, 2.2, 2.3, 2.3.1, 2.4, 2.4.1, 2.4.2, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2
Redhat Jboss Enterprise Web Platform 5.1.0, 5.1.1, 5.1.2, 5.2.0
Redhat Jboss Enterprise Soa Platform 4.2.0, 4.3.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1

References

NameSourceURLTags
JVN#38787103http://jvn.jp/en/jp/JVN38787103/index.htmlJVNThird Party Advisory VDB Entry
JVNDB-2013-000072http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072JVNDBThird Party Advisory VDB Entry
http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.htmlhttp://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.htmlMISC
RHSA-2013:1041http://rhn.redhat.com/errata/RHSA-2013-1041.htmlREDHATVendor Advisory
RHSA-2013:1042http://rhn.redhat.com/errata/RHSA-2013-1042.htmlREDHATVendor Advisory
RHSA-2013:1043http://rhn.redhat.com/errata/RHSA-2013-1043.htmlREDHATVendor Advisory
RHSA-2013:1044http://rhn.redhat.com/errata/RHSA-2013-1044.htmlREDHATVendor Advisory
RHSA-2013:1045http://rhn.redhat.com/errata/RHSA-2013-1045.htmlREDHATVendor Advisory
20200313 RichFaces exploitation toolkithttp://seclists.org/fulldisclosure/2020/Mar/21FULLDISC
https://access.redhat.com/security/cve/CVE-2013-2165https://access.redhat.com/security/cve/CVE-2013-2165CONFIRMVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=973570https://bugzilla.redhat.com/show_bug.cgi?id=973570CONFIRMIssue Tracking Vendor Advisory