The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Red Hat JBoss EAP

computer vulnerability alert CVE-2017-15095 CVE-2017-17485

Jackson: code execution via Black List

Synthesis of the vulnerability

An attacker can use a vulnerability via Black List of Jackson, in order to run code.
Impacted products: Debian, Avamar, Fedora, Oracle Communications, Oracle DB, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Tuxedo, Oracle Virtual Directory, WebLogic, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/11/2017.
Identifiers: 519493, cpuapr2018, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-15095, CVE-2017-17485, DSA-2018-048, DSA-4037-1, DSA-4114-1, FEDORA-2017-4a071ecbc7, FEDORA-2017-e16ed3f7a1, FEDORA-2018-bbf8c38b51, FEDORA-2018-e4b025841e, ibm10715641, ibm10738249, RHSA-2018:0478-01, RHSA-2018:0479-01, RHSA-2018:0480-01, RHSA-2018:0481-01, RHSA-2018:0576-01, RHSA-2018:0577-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, RHSA-2018:2930-01, VIGILANCE-VUL-24456.

Description of the vulnerability

An attacker can use a vulnerability via Black List of Jackson, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-6440

OpenSAML: information disclosure via XML Entities

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via XML Entities of OpenSAML, in order to obtain sensitive information.
Impacted products: WebSphere AS Liberty, RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 15/11/2017.
Identifiers: 2010415, 2011863, CVE-2013-6440, RHSA-2014:0170-01, RHSA-2014:0171-01, RHSA-2014:0172-01, RHSA-2014:0195-01, RHSA-2014:0452-01, RHSA-2014:1290-01, RHSA-2014:1291-01, RHSA-2014:1995-01, VIGILANCE-VUL-24441.

Description of the vulnerability

An attacker can bypass access restrictions to data via XML Entities of OpenSAML, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-12629

Apache Lucene: code execution via Solr

Synthesis of the vulnerability

An attacker can use a vulnerability via Solr of Apache Lucene, in order to run code.
Impacted products: Debian, Fedora, RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 02/11/2017.
Identifiers: CVE-2017-12629, DLA-1254-1, DSA-4124-1, FEDORA-2017-005f8f7f7d, FEDORA-2017-0929e71b41, FEDORA-2017-195e7ea9a8, FEDORA-2017-c7bdf540b4, FEDORA-2017-f1535b86fa, RHSA-2017:3123-01, RHSA-2017:3124-01, RHSA-2017:3244-01, RHSA-2017:3451-01, RHSA-2017:3452-01, RHSA-2018:0002-01, RHSA-2018:0003-01, RHSA-2018:0004-01, RHSA-2018:0005-01, VIGILANCE-VUL-24304.

Description of the vulnerability

An attacker can use a vulnerability via Solr of Apache Lucene, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-7536

Hibernate Validator: privilege escalation via Reflective

Synthesis of the vulnerability

An attacker can bypass restrictions via Reflective of Hibernate Validator, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: document.
Creation date: 27/09/2017.
Identifiers: CVE-2017-7536, RHSA-2017:2808-01, RHSA-2017:2809-01, RHSA-2017:2810-01, RHSA-2017:2811-01, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, RHSA-2018:2740-01, RHSA-2018:2741-01, RHSA-2018:2742-01, RHSA-2018:2743-01, RHSA-2018:3817-01, VIGILANCE-VUL-23924.

Description of the vulnerability

An attacker can bypass restrictions via Reflective of Hibernate Validator, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-2582

Picketlink: information disclosure via StaxParserUtil SAML

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via StaxParserUtil SAML of Picketlink, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 27/09/2017.
Identifiers: CVE-2017-2582, RHSA-2017:2808-01, RHSA-2017:2809-01, RHSA-2017:2810-01, RHSA-2017:2811-01, RHSA-2017:3216-01, RHSA-2017:3217-01, RHSA-2017:3218-01, RHSA-2017:3219-01, RHSA-2017:3220-01, RHSA-2018:2740-01, RHSA-2018:2741-01, RHSA-2018:2742-01, RHSA-2018:2743-01, RHSA-2019:0136-01, RHSA-2019:0137-01, RHSA-2019:0139-01, VIGILANCE-VUL-23923.

Description of the vulnerability

An attacker can bypass access restrictions to data via StaxParserUtil SAML of Picketlink, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-9798

Apache httpd: information disclosure via htaccess Limit Optionsbleed

Synthesis of the vulnerability

When Apache httpd hosts an .htaccess file with the Limit option, an OPTIONS query can retrieve an extract of the service memory.
Impacted products: Apache httpd, Mac OS X, Debian, Fedora, WebSphere AS Traditional, Junos Space, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, Slackware, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 19/09/2017.
Identifiers: 2009782, bulletinjan2018, CERTFR-2017-AVI-336, cpujan2018, cpujan2019, CVE-2017-9798, DLA-1102-1, DSA-3980-1, FEDORA-2017-a52f252521, HT208331, HT208394, JSA10838, openSUSE-SU-2017:2549-1, openSUSE-SU-2018:1057-1, RHSA-2017:2882-01, RHSA-2017:2972-01, RHSA-2017:3018-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, SSA:2017-261-01, Synology-SA-17:56, USN-3425-1, USN-3425-2, VIGILANCE-VUL-23863.

Description of the vulnerability

When Apache httpd hosts an .htaccess file with the Limit option, an OPTIONS query can retrieve an extract of the service memory.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-7561

JBoss RESTEasy: vulnerability via HTTP Vary Header

Synthesis of the vulnerability

A vulnerability via HTTP Vary Header of JBoss RESTEasy was announced.
Impacted products: RESTEasy JBoss OpenSource, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 14/09/2017.
Identifiers: CVE-2017-7561, RESTEASY-1704, RHSA-2018:0002-01, RHSA-2018:0003-01, RHSA-2018:0004-01, RHSA-2018:0005-01, RHSA-2018:0478-01, RHSA-2018:0479-01, RHSA-2018:0480-01, RHSA-2018:0481-01, VIGILANCE-VUL-23840.

Description of the vulnerability

A vulnerability via HTTP Vary Header of JBoss RESTEasy was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-9970

Jasypt: information disclosure via Password Hash Comparison

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Password Hash Comparison of Jasypt, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 31/08/2017.
Identifiers: CVE-2014-9970, RHSA-2017:2546-01, RHSA-2017:2547-01, RHSA-2017:2808-01, RHSA-2017:2809-01, RHSA-2017:2810-01, RHSA-2017:2811-01, RHSA-2018:0294-01, VIGILANCE-VUL-23641.

Description of the vulnerability

An attacker can bypass access restrictions to data via Password Hash Comparison of Jasypt, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-6311

JBoss Enterprise Application Platform: information disclosure via Internal IP Address

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Internal IP Address of JBoss Enterprise Application Platform, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 23/08/2017.
Identifiers: 1362735, CVE-2016-6311, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, VIGILANCE-VUL-23596.

Description of the vulnerability

An attacker can bypass access restrictions to data via Internal IP Address of JBoss Enterprise Application Platform, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-7525

jackson-databind: code execution via ObjectMapper readValue

Synthesis of the vulnerability

An attacker can use a vulnerability via ObjectMapper readValue() of jackson-databind, in order to run code.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Puppet, RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 01/08/2017.
Identifiers: cpuapr2018, cpuapr2019, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-7525, DSA-4004-1, FEDORA-2017-6a75c816fa, FEDORA-2017-8df9efed5f, FEDORA-2017-f452765e1e, FEDORA-2018-bbf8c38b51, FEDORA-2018-e4b025841e, ibm10715641, ibm10738249, RHSA-2017:1834-01, RHSA-2017:1835-01, RHSA-2017:1836-01, RHSA-2017:1837-01, RHSA-2017:1839-01, RHSA-2017:1840-01, RHSA-2017:2477-01, RHSA-2017:2546-01, RHSA-2017:2547-01, RHSA-2017:2633-01, RHSA-2017:2635-01, RHSA-2017:2636-01, RHSA-2017:2637-01, RHSA-2017:2638-01, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, RHSA-2018:0294-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, VIGILANCE-VUL-23406.

Description of the vulnerability

An attacker can use a vulnerability via ObjectMapper readValue() of jackson-databind, in order to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Red Hat JBoss EAP: