Vulnerability Description
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss Enterprise Application Platform | 6.2.0 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2014-1019.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1020.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1021.htmlVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1102317
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95409
- http://rhn.redhat.com/errata/RHSA-2014-1019.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1020.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1021.htmlVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1102317
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95409
FAQ
What is CVE-2014-3464?
CVE-2014-3464 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbou...
How severe is CVE-2014-3464?
CVE-2014-3464 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3464?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform.