IBM WebSphere Commerce Lets Remote Authenticated Users Execute Server Side Code on the Target System
Severity Rating: Medium
· Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5.
A vulnerability has been reported in Red Hat JBoss and can be exploited by remote attackers to execute arbitrary code on the target system. This vulnerability can allow remote attackers to send a specially crafted UserResource RichFaces expression language that contains a tainted java serialized object org.ajax4jsf.resource.UserResource$UriData expression that will trigger deserialization after clearing white list protections. As a result, arbitrary code may be executed on the target system.
Users are advised to apply updates.
More information is available on:
RedHat Security Advisory
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street