CVE-2010-3708 - Vulnerability Details

The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Jboss Enterprise Application Platform Jboss Enterprise Soa Platform Jboss Soa Platform

Configuration 1 [-]

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp01::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp02::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp03::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp04::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp05::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp06::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp07::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp08::::::

Configuration 2 [-]

OR	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04::::::

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 4.3
	cpe:/a:redhat:jboss_enterprise_application_platform:4.3	RHSA-2010:0939	2010-12-01T00:00:00Z
Red Hat JBoss Enterprise Application Platform 4.3 for RHEL 4
glassfish-jaxb-0:2.1.4-1.17.patch04.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
glassfish-jaxws-0:2.1.1-1jpp.ep1.13.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP11.0jpp.ep2.0.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
hibernate3-annotations-0:3.3.1-2.0.GA_CP04.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
javassist-0:3.9.0-2.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jbossas-0:4.3.0-8.GA_CP09.2.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jboss-common-0:1.2.2-1.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jboss-messaging-0:1.4.0-4.SP3_CP11.1.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jboss-remoting-0:2.2.3-4.SP3.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.22.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jboss-seam2-0:2.0.2.FP-1.ep1.26.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jbossts-1:4.2.3-2.SP5_CP10.1jpp.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jbossweb-0:2.0.0-7.CP15.0jpp.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jbossws-0:2.0.1-6.SP2_CP09.2.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jbossws-common-0:1.0.0-3.GA_CP06.1.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
jgroups-1:2.4.9-1.ep1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
rh-eap-docs-0:4.3.0-8.GA_CP09.ep1.3.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
xalan-j2-0:2.7.1-4.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4	RHSA-2010:0937	2010-12-01T00:00:00Z
Red Hat JBoss Enterprise Application Platform 4.3 for RHEL 5
glassfish-jaxb-0:2.1.4-1.17.patch04.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
glassfish-jaxws-0:2.1.1-1jpp.ep1.13.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP11.0jpp.ep2.0.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
hibernate3-annotations-0:3.3.1-2.0.GA_CP04.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
javassist-0:3.9.0-2.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jbossas-0:4.3.0-8.GA_CP09.2.1.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jboss-common-0:1.2.2-1.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jboss-messaging-0:1.4.0-4.SP3_CP11.1.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jboss-remoting-0:2.2.3-4.SP3.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.22.el5.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jboss-seam2-0:2.0.2.FP-1.ep1.26.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jbossts-1:4.2.3-2.SP5_CP10.1jpp.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jbossweb-0:2.0.0-7.CP15.0jpp.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jbossws-0:2.0.1-6.SP2_CP09.2.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jbossws-common-0:1.0.0-3.GA_CP06.1.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
jgroups-1:2.4.9-1.ep1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
quartz-0:1.5.2-1jpp.patch01.ep1.4.2.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
rh-eap-docs-0:4.3.0-8.GA_CP09.ep1.3.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
xalan-j2-0:2.7.1-4.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5	RHSA-2010:0938	2010-12-01T00:00:00Z
Red Hat JBoss SOA Platform 4.2
	cpe:/a:redhat:jboss_soa_platform:4.2	RHSA-2010:0940	2010-12-01T00:00:00Z
Red Hat JBoss SOA Platform 4.3
	cpe:/a:redhat:jboss_soa_platform:4.3	RHSA-2010:0940	2010-12-01T00:00:00Z

References

Link	Providers
http://securitytracker.com/id?1024813
http://www.redhat.com/support/errata/RHSA-2010-0937.html
http://www.redhat.com/support/errata/RHSA-2010-0938.html
http://www.redhat.com/support/errata/RHSA-2010-0939.html
http://www.redhat.com/support/errata/RHSA-2010-0940.html
https://bugzilla.redhat.com/show_bug.cgi?id=633859
https://issues.jboss.org/browse/SOA-2319
https://nvd.nist.gov/vuln/detail/CVE-2010-3708
https://www.cve.org/CVERecord?id=CVE-2010-3708

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2010-12-30T20:00:00Z

Updated: 2024-08-07T03:18:53.023Z

Reserved: 2010-10-01T00:00:00Z

Link: CVE-2010-3708

Vulnrichment

No data.

NVD

Status : Modified

Published: 2010-12-30T21:00:01.267

Modified: 2024-11-21T01:19:26.380

Link: CVE-2010-3708

Redhat

Severity : Important

Publid Date: 2010-12-01T00:00:00Z

Links: CVE-2010-3708 - Bugzilla

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object