CVE-2012-2377 : JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platfo

JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.

Published 2012-11-23 20:55:03

Updated 2017-08-29 01:31:36

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2012-2377

Probability of exploitation activity in the next 30 days: 0.44%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 71 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-2377

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.3	LOW	AV:A/AC:L/Au:N/C:P/I:N/A:N	6.5	2.9	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2012-2377

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-2377

http://rhn.redhat.com/errata/RHSA-2013-0194.html

RHSA-2013:0194 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0196.html

RHSA-2013:0196 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0197.html

Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0191.html

RHSA-2013:0191 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0193.html

Red Hat Customer Portal

CVEs referencing this url
http://www.securityfocus.com/bid/54183

JBoss Enterprise BRMS Platform JGroups Diagnostics Service Information Disclosure Vulnerability
http://rhn.redhat.com/errata/RHSA-2013-0195.html

RHSA-2013:0195 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2012-1125.html

Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0192.html

RHSA-2013:0192 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/76540

JBoss JGroups information disclosure CVE-2012-2377 Vulnerability Report
https://bugzilla.redhat.com/show_bug.cgi?id=823392

823392 – (CVE-2012-2377) CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started
http://rhn.redhat.com/errata/RHSA-2012-1232.html

Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0198.html

RHSA-2013:0198 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2012-1028.html

Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2012-2377

Redhat » Jboss Enterprise Soa Platform
Versions up to, including, (<=) 5.2.0
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:*:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.3.0 Update Cp04
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 5.0.0
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.2.0 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.2.0
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.3.0 Update Cp02
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.3.0 Update Cp03
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp03:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.3.0
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.3.0 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.2.0 Update Cp04
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp04:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.2.0 Update Cp02
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.2.0 Update Cp05
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.2.0 Update Cp03
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp03:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.2.0 Update Tp02
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:tp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 5.0.1
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 5.1.0
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 4.3.0 Update Cp05
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 5.0.2
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.2:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 5.1.1
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform
Versions up to, including, (<=) 5.2.1
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:*:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform » Version: 5.0.1
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform » Version: 5.0.0
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform » Version: 5.1.1
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform » Version: 5.1.0
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform » Version: 5.2.0
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform » Version: 4.3.0 Update Cp07
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Portal Platform » Version: 4.3.0
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Brms Platform
Versions up to, including, (<=) 5.2.0
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-2377

Exploit prediction scoring system (EPSS) score for CVE-2012-2377

CVSS scores for CVE-2012-2377

CWE ids for CVE-2012-2377

References for CVE-2012-2377

Products affected by CVE-2012-2377