The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2511 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.3.1 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.3.0, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.3.1 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * cxf: reflected XSS in the services listing page (CVE-2019-17573)

    * cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)

    * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could     result in security bypass (CVE-2020-1757)

    * jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class     (CVE-2020-1695)

    * cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)

    * smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to     access the current threads context class loader (CVE-2020-1729)

    * resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)

    * jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)

    * undertow: invalid HTTP request with large chunk size (CVE-2020-10719)

    * jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)

    * jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)

    * jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)

    * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)

    * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)

    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

    * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider     is in use (CVE-2019-14887)

    * jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of     CVE-2018-14371 (CVE-2020-6950)

    * jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter     (CVE-2018-14371)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0804 advisory.

    This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean     by default (CVE-2019-10086)

    * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)

    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

    * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source     (CVE-2019-12400)

    * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider     is in use (CVE-2019-14887)

    * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

    * netty: HTTP request smuggling (CVE-2019-20444)

    * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length     header (CVE-2019-20445)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0806 advisory.

    This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a     replacement for Red Hat JBoss Enterprise Application Platform 7.2.6, and     includes bug fixes and enhancements. See the Red Hat JBoss Enterprise     Application Platform 7.2.7 Release Notes for information about the most     significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * commons-beanutils: apache-commons-beanutils: does not suppresses the class     property in PropertyUtilsBean by default (CVE-2019-10086)

    * libthrift: thrift: Endless loop when feed with specific input data     (CVE-2019-0205)

    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or     TSimpleJSONProtocol (CVE-2019-0210)

    * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from     an untrusted source (CVE-2019-12400)

    * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider     is in use (CVE-2019-14887)

    * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

    * netty: HTTP request smuggling (CVE-2019-20444)

    * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length     header (CVE-2019-20445)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0962 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    Security Fix(es):

    * The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use     (CVE-2019-14887)

    * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)

    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

    * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202107-32 (Apache Thrift: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache Thrift. Please       review the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2513 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.3.1 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.3.0, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.3.1 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * cxf: reflected XSS in the services listing page (CVE-2019-17573)

    * cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)

    * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could     result in security bypass (CVE-2020-1757)

    * jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class     (CVE-2020-1695)

    * cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)

    * smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to     access the current threads context class loader (CVE-2020-1729)

    * resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)

    * jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)

    * undertow: invalid HTTP request with large chunk size (CVE-2020-10719)

    * jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)

    * jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)

    * jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)

    * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)

    * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)

    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

    * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider     is in use (CVE-2019-14887)

    * jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of     CVE-2018-14371 (CVE-2020-6950)

    * jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter     (CVE-2018-14371)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the thrift packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In Apache Thrift 0.9.3 to 0.12.0, a server implemented     in Go using TJSONProtocol or TSimpleJSONProtocol may     panic when feed with invalid input data.(CVE-2019-0210)

  - In Apache Thrift all versions up to and including     0.12.0, a server or client may run into an endless loop     when feed with specific input data. Because the issue     had already been partially fixed in version 0.11.0,     depending on the installed version it affects only     certain language bindings.(CVE-2019-0205)

  - Apache Thrift Java client library versions 0.5.0     through 0.11.0 can bypass SASL negotiation isComplete     validation in the     org.apache.thrift.transport.TSaslTransport class. An     assert used to determine if the SASL handshake had     successfully completed could be disabled in production     settings making the validation     incomplete.(CVE-2018-1320)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0805 advisory.

    This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * commons-beanutils: apache-commons-beanutils: does not suppresses the class     property in PropertyUtilsBean by default (CVE-2019-10086)

    * libthrift: thrift: Endless loop when feed with specific input data     (CVE-2019-0205)

    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or     TSimpleJSONProtocol (CVE-2019-0210)

    * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from     an untrusted source (CVE-2019-12400)

    * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider     is in use (CVE-2019-14887)

    * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

    * netty: HTTP request smuggling (CVE-2019-20444)

    * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length     header (CVE-2019-20445)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2512 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java     applications based on the WildFly application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.3.1 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.3.0, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.3.1 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * cxf: reflected XSS in the services listing page (CVE-2019-17573)

    * cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)

    * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could     result in security bypass (CVE-2020-1757)

    * jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class     (CVE-2020-1695)

    * cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)

    * smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to     access the current threads context class loader (CVE-2020-1729)

    * resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)

    * jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)

    * undertow: invalid HTTP request with large chunk size (CVE-2020-10719)

    * jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)

    * jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)

    * jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)

    * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)

    * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)

    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

    * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider     is in use (CVE-2019-14887)

    * jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of     CVE-2018-14371 (CVE-2020-6950)

    * jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter     (CVE-2018-14371)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
137331	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.1 Security update (Important) (RHSA-2020:2511)	Nessus	Red Hat Local Security Checks	6/11/2020	11/7/2024	critical
134612	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 6 (RHSA-2020:0804)	Nessus	Red Hat Local Security Checks	3/16/2020	11/7/2024	critical
134614	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 8 (RHSA-2020:0806)	Nessus	Red Hat Local Security Checks	3/16/2020	11/7/2024	critical
134870	RHEL 6 / 7 / 8 : Red Hat JBoss Enterprise Application Platform 7.3 (RHSA-2020:0962)	Nessus	Red Hat Local Security Checks	3/24/2020	11/7/2024	critical
157019	GLSA-202107-32 : Apache Thrift: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	1/24/2022	1/16/2024	high
137334	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.1 Security update (Important) (RHSA-2020:2513)	Nessus	Red Hat Local Security Checks	6/11/2020	11/7/2024	critical
147467	EulerOS Virtualization 3.0.6.6 : thrift (EulerOS-SA-2021-1457)	Nessus	Huawei Local Security Checks	3/10/2021	3/16/2021	high
134613	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 7 (RHSA-2020:0805)	Nessus	Red Hat Local Security Checks	3/16/2020	11/7/2024	critical
137333	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.1 Security update (Important) (RHSA-2020:2512)	Nessus	Red Hat Local Security Checks	6/11/2020	11/7/2024	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

high

critical

high

critical

critical