The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Red Hat JBoss Enterprise Application Platform

vulnerability bulletin CVE-2016-6816

Apache Tomcat: information disclosure via HTTP Request Line

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via HTTP Request Line of Apache Tomcat, in order to obtain sensitive information.
Impacted products: Tomcat, Debian, BIG-IP Hardware, TMOS, Fedora, HPE NNMi, QRadar SIEM, Snap Creator Framework, openSUSE Leap, Oracle DB, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 22/11/2016.
Identifiers: 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, 1999671, cpuoct2017, CVE-2016-6816, DLA-728-1, DLA-729-1, DSA-3738-1, DSA-3739-1, FEDORA-2016-98cca07999, FEDORA-2016-9c33466fbb, FEDORA-2016-a98c560116, K50116122, KM03302206, NTAP-20180605-0001, NTAP-20180607-0001, NTAP-20180607-0002, NTAP-20180614-0001, openSUSE-SU-2016:3129-1, openSUSE-SU-2016:3144-1, RHSA-2017:0244-01, RHSA-2017:0245-01, RHSA-2017:0246-01, RHSA-2017:0247-01, RHSA-2017:0250-01, RHSA-2017:0455-01, RHSA-2017:0456-01, RHSA-2017:0457-01, RHSA-2017:0527-01, RHSA-2017:0935-01, SOL50116122, SUSE-SU-2016:3079-1, SUSE-SU-2016:3081-1, SUSE-SU-2017:1632-1, SUSE-SU-2017:1660-1, USN-3177-1, USN-3177-2, VIGILANCE-VUL-21173.

Description of the vulnerability

An attacker can bypass access restrictions to data via HTTP Request Line of Apache Tomcat, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-0762 CVE-2016-5018 CVE-2016-6794

Apache Tomcat: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apache Tomcat.
Impacted products: Tomcat, Debian, Fedora, QRadar SIEM, Snap Creator Framework, openSUSE Leap, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 27/10/2016.
Identifiers: 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, 1999671, bulletinoct2016, CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797, DLA-728-1, DLA-729-1, DSA-3720-1, DSA-3721-1, FEDORA-2016-4094bd4ad6, FEDORA-2016-c1b01b9278, NTAP-20180605-0001, NTAP-20180607-0001, NTAP-20180607-0002, NTAP-20180614-0001, openSUSE-SU-2016:3129-1, openSUSE-SU-2016:3144-1, RHSA-2017:0455-01, RHSA-2017:0456-01, RHSA-2017:0457-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2247-01, SUSE-SU-2016:3079-1, SUSE-SU-2016:3081-1, SUSE-SU-2017:1632-1, SUSE-SU-2017:1660-1, USN-3177-1, USN-3177-2, VIGILANCE-VUL-20976.

Description of the vulnerability

Several vulnerabilities were announced in Apache Tomcat.

An attacker can bypass security features via SecurityManager, in order to escalate his privileges. [severity:2/4; CVE-2016-5018]

An attacker can bypass security features via Realm Timing, in order to obtain sensitive information. [severity:2/4; CVE-2016-0762]

An attacker can bypass security features via System Property, in order to obtain sensitive information. [severity:2/4; CVE-2016-6794]

An attacker can bypass security features via SecurityManager, in order to escalate his privileges. [severity:2/4; CVE-2016-6796]

An attacker can bypass security features via Global Resources, in order to obtain sensitive information. [severity:2/4; CVE-2016-6797]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-8610

OpenSSL: denial of service via SSL3_AL_WARNING

Synthesis of the vulnerability

An attacker can send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Impacted products: OpenOffice, Debian, Fedora, FreeBSD, FreeRADIUS, hMailServer, HP Switch, AIX, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper ISG, Juniper J-Series, Junos OS, SSG, SRX-Series, Meinberg NTP Server, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Solaris, WebLogic, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, RHEL, JBoss EAP by Red Hat, Shibboleth SP, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 24/10/2016.
Identifiers: 1996096, 2000095, 2003480, 2003620, 2003673, 2004940, 2009389, bulletinoct2016, cpujul2019, CVE-2016-8610, DLA-814-1, DSA-3773-1, FEDORA-2017-3451dbec48, FEDORA-2017-e853b4144f, FreeBSD-SA-16:35.openssl, HPESBHF03897, JSA10808, JSA10809, JSA10810, JSA10811, JSA10813, JSA10814, JSA10816, JSA10817, JSA10818, JSA10820, JSA10821, JSA10822, JSA10825, openSUSE-SU-2017:0386-1, openSUSE-SU-2017:0487-1, openSUSE-SU-2018:4104-1, PAN-SA-2017-0017, pfSense-SA-17_03.webgui, RHSA-2017:0286-01, RHSA-2017:0574-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA40886, SP-CAAAPUE, SPL-129207, SUSE-SU-2017:0304-1, SUSE-SU-2017:0348-1, SUSE-SU-2018:0112-1, SUSE-SU-2018:3864-1, SUSE-SU-2018:3864-2, SUSE-SU-2018:3964-1, SUSE-SU-2018:3994-1, SUSE-SU-2018:4068-1, SUSE-SU-2018:4274-1, SUSE-SU-2019:1553-1, USN-3181-1, USN-3183-1, USN-3183-2, VIGILANCE-VUL-20941.

Description of the vulnerability

The OpenSSL product implements the SSL version 3 protocol.

The SSL3_AL_WARNING message is used to send an alert of level Warning. However, when these packets are received during the handshake, the library consumes 100% of CPU.

An attacker can therefore send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-7065

Red Hat JBoss EAP: code execution via JMX Servlet

Synthesis of the vulnerability

An attacker can use an unserialization via JMX Servlet of Red Hat JBoss EAP, in order to run code.
Impacted products: JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 14/10/2016.
Identifiers: 1382534, CVE-2016-7065, VIGILANCE-VUL-20871.

Description of the vulnerability

An attacker can use an unserialization via JMX Servlet of Red Hat JBoss EAP, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-4459

Apache mod_cluster: buffer overflow via JVMRoute

Synthesis of the vulnerability

An attacker can generate a buffer overflow via JVMRoute of Apache mod_cluster, in order to trigger a denial of service, and possibly to run code.
Impacted products: JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 13/10/2016.
Identifiers: 1341583, CVE-2016-4459, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, VIGILANCE-VUL-20859.

Description of the vulnerability

The Apache mod_cluster product processes JVMRoute messages via mod_manager.

However, if the size of JVMRoute data is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow via JVMRoute of Apache mod_cluster, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-7046

JBoss Enterprise Application Platform: buffer overflow via Reverse Proxy

Synthesis of the vulnerability

An attacker can generate a buffer overflow via Reverse Proxy of JBoss Enterprise Application Platform, in order to trigger a denial of service.
Impacted products: RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 04/10/2016.
Identifiers: 1376646, CVE-2016-7046, RHSA-2016:2640-01, RHSA-2016:2641-01, RHSA-2016:2642-01, RHSA-2016:2657-01, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, VIGILANCE-VUL-20757.

Description of the vulnerability

The JBoss Enterprise Application Platform product offers a web service.

However, if the size of data is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow via Reverse Proxy of JBoss Enterprise Application Platform, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-6302 CVE-2016-6303 CVE-2016-6304

OpenSSL: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Mac OS X, Arkoon FAST360, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, FreeRADIUS, hMailServer, HP Switch, AIX, DB2 UDB, IRAD, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee Email Gateway, ePO, MySQL Community, MySQL Enterprise, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier, Percona Server, pfSense, Pulse Connect Secure, Pulse Secure Client, Pulse Secure SBR, Puppet, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, VxWorks, WinSCP.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/09/2016.
Identifiers: 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1996096, 1999395, 1999421, 1999474, 1999478, 1999479, 1999488, 1999532, 2000095, 2000209, 2000544, 2002870, 2003480, 2003620, 2003673, 2008828, bulletinapr2017, bulletinjul2016, bulletinoct2016, CERTFR-2016-AVI-320, CERTFR-2016-AVI-333, cisco-sa-20160927-openssl, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, DLA-637-1, DSA-3673-1, DSA-3673-2, FEDORA-2016-97454404fe, FEDORA-2016-a555159613, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FreeBSD-SA-16:26.openssl, HPESBHF03856, HT207423, JSA10759, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2018:0458-1, RHSA-2016:1940-01, RHSA-2016:2802-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA132, SA40312, SB10171, SB10215, SOL54211024, SOL90492697, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, STORM-2016-005, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, TNS-2016-16, USN-3087-1, USN-3087-2, VIGILANCE-VUL-20678.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can create a memory over consumption via an OCSP request, in order to trigger a denial of service. [severity:3/4; CVE-2016-6304]

An attacker can make a process block itself via SSL_peek, in order to trigger a denial of service. [severity:2/4; CVE-2016-6305]

An attacker can generate a buffer overflow via MDC2_Update, in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2016-6303]

An attacker can generate a read only buffer overflow, in order to trigger a denial of service. [severity:1/4; CVE-2016-6302]

An attacker can generate a read only buffer overflow via the parsing of an X.509 certificate, in order to trigger a denial of service. [severity:1/4; CVE-2016-6306]

An attacker can make the server allocates a large amount of memory to process TLS packets. [severity:1/4; CVE-2016-6307]

An attacker can make the server allocates a large amount of memory to process DTLS packets. [severity:1/4; CVE-2016-6308]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-5406

JBoss Enterprise Application Platform: privilege escalation via RBAC

Synthesis of the vulnerability

An attacker can bypass restrictions via RBAC of JBoss Enterprise Application Platform, in order to escalate his privileges.
Impacted products: RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 09/09/2016.
Identifiers: CVE-2016-5406, RHSA-2016:1838-01, RHSA-2016:1839-01, RHSA-2016:1840-01, RHSA-2016:1841-01, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, VIGILANCE-VUL-20559.

Description of the vulnerability

An attacker can bypass restrictions via RBAC of JBoss Enterprise Application Platform, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-4993

Undertow: HTTP header injection

Synthesis of the vulnerability

An attacker can inject HTTP headers in Undertow, in order to read or alter data.
Impacted products: RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 09/09/2016.
Identifiers: CVE-2016-4993, RHSA-2016:1838-01, RHSA-2016:1839-01, RHSA-2016:1840-01, RHSA-2016:1841-01, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, VIGILANCE-VUL-20558.

Description of the vulnerability

An attacker can inject HTTP headers in Undertow, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-6345 CVE-2016-6346

JBoss RESTEasy: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of JBoss RESTEasy.
Impacted products: RESTEasy JBoss OpenSource, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/09/2016.
Identifiers: 1372117, 1372120, CVE-2016-6345, CVE-2016-6346, RHSA-2017:0517-01, RHSA-2017:0826-01, RHSA-2017:0827-01, RHSA-2017:0828-01, RHSA-2017:0829-01, RHSA-2017:1675-01, RHSA-2017:1676-01, RHSA-2018:0002-01, RHSA-2018:0003-01, RHSA-2018:0004-01, RHSA-2018:0005-01, VIGILANCE-VUL-20541.

Description of the vulnerability

Several vulnerabilities were announced in JBoss RESTEasy.

An attacker can bypass security features via Async Jobs, in order to obtain sensitive information. [severity:2/4; 1372117, CVE-2016-6345]

An attacker can trigger a fatal error via GZIPInterceptor, in order to trigger a denial of service. [severity:2/4; 1372120, CVE-2016-6346]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Red Hat JBoss Enterprise Application Platform: