CVE-2013-1768 Information

Description

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

Reference

http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0099.html http://rhn.redhat.com/errata/RHSA-2013-1862.html http://svn.apache.org/viewvc?view=revision&revision=1462076 http://svn.apache.org/viewvc?view=revision&revision=1462225 http://svn.apache.org/viewvc?view=revision&revision=1462268 http://svn.apache.org/viewvc?view=revision&revision=1462318 http://svn.apache.org/viewvc?view=revision&revision=1462328 http://svn.apache.org/viewvc?view=revision&revision=1462488 http://svn.apache.org/viewvc?view=revision&revision=1462512 http://svn.apache.org/viewvc?view=revision&revision=1462558 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.securityfocus.com/bid/60534 http://www-01.ibm.com/support/docview.wss?uid=swg1PM86780 http://www-01.ibm.com/support/docview.wss?uid=swg1PM86786 http://www-01.ibm.com/support/docview.wss?uid=swg1PM86788 http://www-01.ibm.com/support/docview.wss?uid=swg1PM86791 http://www-01.ibm.com/support/docview.wss?uid=swg21635999 http://www-01.ibm.com/support/docview.wss?uid=swg21644047 https://exchange.xforce.ibmcloud.com/vulnerabilities/82268