It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0271 advisory.

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)

  - jboss-remoting: High CPU Denial of Service (CVE-2018-1041)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0481 advisory.

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0480 advisory.

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0479 advisory.

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0270 advisory.

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)

  - jboss-remoting: High CPU Denial of Service (CVE-2018-1041)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0268 advisory.

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)

  - jboss-remoting: High CPU Denial of Service (CVE-2018-1041)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19.

Security Fix(es) :

* It was found that when Artemis and HornetQ are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError. (CVE-2017-12174)

* A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12617)

* A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10.Final-redhat-1, reads from an empty buffer. An attacker could use this flaw to cause denial of service via high CPU caused by an infinite loop. (CVE-2018-1041)

The CVE-2017-12174 issue was discovered by Masafumi Miura (Red Hat).

ID	Name	Product	Family	Severity
194092	RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.4.19 (RHSA-2018:0271)	Nessus	Red Hat Local Security Checks	high
108325	RHEL 6 / 7 : jboss-ec2-eap package for EAP 7.1.1 (Important) (RHSA-2018:0481)	Nessus	Red Hat Local Security Checks	critical
108324	RHEL 7 : JBoss Enterprise Application Platform 7.1.1 for RHEL 7 (Important) (RHSA-2018:0480)	Nessus	Red Hat Local Security Checks	critical
108323	RHEL 6 : JBoss Enterprise Application Platform 7.1.1 on RHEL 6 (Important) (RHSA-2018:0479)	Nessus	Red Hat Local Security Checks	critical
106651	RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.4.19 (RHSA-2018:0270)	Nessus	Red Hat Local Security Checks	high
106650	RHEL 7 : Red Hat JBoss Enterprise Application Platform 6.4.19 (RHSA-2018:0268)	Nessus	Red Hat Local Security Checks	high
106616	RHEL 6 : jboss-ec2-eap (RHSA-2018:0275)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2017-12174

high

Tenable Plugins

high

critical

critical

critical

high

high

high