Guest

Preview Tool

Cisco Bug: CSCur57763 - CTS-Man eval for CVE-2012-0874 CVE-2013-4810

Last Modified

Aug 11, 2015

Products (1)

  • Cisco TelePresence Manager

Known Affected Releases

1.9.3

Description (partial)

Symptoms:
Cisco TelePresence Manager includes a version of JBOSS Application server that is affected by the
vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2012-0874: The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise
Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA
Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote
attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can
only be exploited when the interceptor is not properly configured with a ''second layer of authentication,'' or
when used in conjunction with other vulnerabilities that bypass this second layer. This has been classified by
the vendor as having a CVSSv2 score of 6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)

CVE-2013-4810: JBoss allow remote attackers to execute arbitrary code via a marshalled object to (1)
EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of
CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874. This has been classified by the vendor as having a CVSSv2
score of 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)

This bug was opened to address the potential impact on this product.

Conditions:
Running version of the software prior to the Known Fixed Releases
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.