{ "threat_severity" : "Important", "public_date" : "2018-02-08T00:00:00Z", "bugzilla" : { "description" : "jolokia: JMX proxy mode vulnerable to remote code execution", "id" : "1559316", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1559316" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-99", "details" : [ "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server." ], "statement" : "For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.", "affected_release" : [ { "product_name" : "Red Hat JBoss Fuse 7", "release_date" : "2018-09-11T00:00:00Z", "advisory" : "RHSA-2018:2669", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jolokia-core" } ], "package_state" : [ { "product_name" : "JBoss Developer Studio 11", "fix_state" : "Not affected", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:jboss_dev_studio:11." }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Affected", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:7" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Will not fix", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jolokia-client-java", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Will not fix", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Integration Service 2", "fix_state" : "Affected", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:fuse_integration_services:2" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 11 (Ocata)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:11", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:12", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 8 (Liberty)", "fix_state" : "Not affected", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:8" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:9", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1000130\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000130\nhttps://jolokia.org/#Security_fixes_with_1.5.0" ], "name" : "CVE-2018-1000130", "csaw" : false }