CVE-2010-3708

JBoss Enterprise Application Platform and SOA Platform - Remote Code Execution via Serialized Class File Embedding

Title source: llm
STIX 2.1

Description

The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.

References (7)

Core 7
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0940.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0938.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=633859
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0937.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0939.html
Various Sources x_refsource_misc
https://issues.jboss.org/browse/SOA-2319
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1024813

Scores

EPSS 0.0302
EPSS Percentile 85.9%

Details

CWE
CWE-20
Status published
Products (4)
org.drools/drools-core 0 - 4.0.7Maven
redhat/jboss_enterprise_application_platform 4.3.0 (9 CPE variants)
redhat/jboss_enterprise_soa_platform 4.2.0 (7 CPE variants)
redhat/jboss_enterprise_soa_platform 4.3.0 (5 CPE variants)
Published Dec 30, 2010
Tracked Since Feb 18, 2026