{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright © Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for JBoss Operations Network 2.4.2 that fixes one security issue\nis now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss Operations Network (JBoss ON) is a middleware management solution\nthat provides a single point of control to deploy, manage, and monitor\nJBoss Enterprise Middleware, applications, and services.\n\nA flaw was found in the way LDAP (Lightweight Directory Access Protocol)\nauthentication was handled. If the LDAP bind account credentials became\ninvalid, subsequent log in attempts with any password for user accounts\ncreated via LDAP were successful. A remote attacker could use this flaw\nto log into LDAP-based JBoss ON accounts without knowing the correct\npasswords. (CVE-2012-1100)\n\nWarning: Before applying the update, back up your existing JBoss ON\ninstallation (including its databases, applications, configuration files,\nthe JBoss ON server's file system directory, and so on).\n\nAll users of JBoss Operations Network 2.4.2 as provided from the Red Hat\nCustomer Portal are advised to install this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2012:0396",
        "url": "https://access.redhat.com/errata/RHSA-2012:0396"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=2.4.2",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=2.4.2"
      },
      {
        "category": "external",
        "summary": "799789",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=799789"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_0396.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Operations Network 2.4.2 security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:40:05+00:00",
      "generator": {
        "date": "2025-11-21T17:40:05+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2012:0396",
      "initial_release_date": "2012-03-19T21:43:00+00:00",
      "revision_history": [
        {
          "date": "2012-03-19T21:43:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2012-03-19T21:46:59+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:40:05+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Operations Network 2.4",
                "product": {
                  "name": "Red Hat JBoss Operations Network 2.4",
                  "product_id": "Red Hat JBoss Operations Network 2.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_operations_network:2.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2012-1100",
      "discovery_date": "2012-03-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "799789"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Red Hat JBoss Operations Network (JON) 3.0.x before 3.0.1, 2.4.2, and earlier, when LDAP authentication is enabled and the LDAP bind account credentials are invalid, allows remote attackers to login to LDAP-based accounts via an arbitrary password in a login request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "JON: LDAP authentication allows any user access if bind credentials are bad",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-1100"
        },
        {
          "category": "external",
          "summary": "RHBZ#799789",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=799789"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-1100",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-1100"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-1100",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1100"
        }
      ],
      "release_date": "2012-02-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-03-19T21:43:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss ON installation (including its databases, applications,\nconfiguration files, the JBoss ON server's file system directory, and so\non).\n\nStop the JBoss ON server (rhq-server.sh stop) before applying the update.\nAfter applying the update, start the JBoss ON server (rhq-server.sh start).",
          "product_ids": [
            "Red Hat JBoss Operations Network 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:0396"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "JON: LDAP authentication allows any user access if bind credentials are bad"
    }
  ]
}