CVE-2013-1777

Apache Geronimo 3.x < 3.0.1 - Remote Code Execution via JMX Remoting

Title source: llm
STIX 2.1

Description

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21643282
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/GERONIMO-6477
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-07/0008.html
Vendor Advisory x_refsource_confirm
http://geronimo.apache.org/30x-security-report.html

Scores

EPSS 0.0981
EPSS Percentile 95.0%

Details

CWE
CWE-94
Status published
Products (3)
apache/geronimo 3.0 (3 CPE variants)
ibm/websphere_application_server 3.0.0.3
org.apache.geronimo.framework/geronimo-jmx-remoting 3.0-beta-1 - 3.0.1Maven
Published Jul 11, 2013
Tracked Since Feb 18, 2026