漏洞类别:RedHat
漏洞等级: 
漏洞信息
JBoss Web is the web container, based on Apache Tomcat, in Red Hat JBoss Enterprise Application Platform.
A flaw was found in the way the DiskFileItem class handled NULL characters in file names. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is accessible to the user running the application server process. (CVE-2013-2185)
Affected Products:
JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
JBoss Enterprise Application Platform 6.4 for RHEL 5 x86_64
JBoss Enterprise Application Platform 6.4 for RHEL 5 i386
JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6 for RHEL 6 i386
JBoss Enterprise Application Platform 6 for RHEL 5 x86_64
JBoss Enterprise Application Platform 6 for RHEL 5 i386
漏洞危害
On successful exploitation an attacker could use this flaw to write arbitrary content to any location on the server that is accessible to the user running the application server process.
解决方案
Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.
Refer to Red Hat security advisory RHSA-2013:1193 to address this issue and obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论