Detections
Analytics

RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.4.20 (RHSA-2018:1449)

critical Nessus Plugin ID 109906

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for Red Hat JBoss Enterprise Application Platform 6.4.20.

Description

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:1449 advisory.

 - Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978)

 - solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163)

 - jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper (CVE-2017-7525)

 - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)

 - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)

 - tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)

 - jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489)

 - slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL Red Hat JBoss Enterprise Application Platform 6.4.20 package based on the guidance in RHSA-2018:1449.

See Also

http://www.nessus.org/u?7dfcbaaa

http://www.nessus.org/u?7ef4c395

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=1379207

https://bugzilla.redhat.com/show_bug.cgi?id=1454783

https://bugzilla.redhat.com/show_bug.cgi?id=1506612

https://bugzilla.redhat.com/show_bug.cgi?id=1528565

https://bugzilla.redhat.com/show_bug.cgi?id=1548289

https://bugzilla.redhat.com/show_bug.cgi?id=1548909

https://bugzilla.redhat.com/show_bug.cgi?id=1549276

https://bugzilla.redhat.com/show_bug.cgi?id=1559008

https://bugzilla.redhat.com/show_bug.cgi?id=1559011

https://bugzilla.redhat.com/show_bug.cgi?id=1559016

Plugin Details

Severity: Critical

ID: 109906

File Name: redhat-RHSA-2018-1449.nasl

Version: 1.8

Type: local

Agent: unix

Published: 5/18/2018

Updated: 4/27/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-8088

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:jgroups, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:picketbox, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jbossweb, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-xc, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-mapper-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:lucene-solr, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-core-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-server

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 5/14/2018

Vulnerability Publication Date: 9/27/2016

Reference Information

CVE: CVE-2016-4978, CVE-2017-15095, CVE-2017-17485, CVE-2017-3163, CVE-2017-7525, CVE-2018-1304, CVE-2018-7489, CVE-2018-8088

CWE: 184, 20, 22, 284, 502

RHSA: 2018:1449