RHEL 6:JBoss EAP (RHSA-2018:0479)
critical Nessus Plugin ID 108323
語系:
概要
遠端 Red Hat 主機缺少一個或多個安全性更新。說明
現已提供適用於 Red Hat Enterprise Linux 6 之 Red Hat JBoss Enterprise Application Platform 7.1 的更新。Red Hat 產品安全性團隊已將此更新評等為具有重要安全性影響。可從〈參照〉一節的 CVE 連結中取得每個弱點之常見弱點評分系統 (CVSS) 的基本分數,其中包含有關嚴重性評等的詳細資訊。Red Hat JBoss Enterprise Application Platform 是一個以 JBoss Application Server 為基礎,並提供給 Java 應用程式使用的平台。此 Red Hat JBoss Enterprise Application Platform 7.1.1 版本是 Red Hat JBoss Enterprise Application Platform 7.1.0 的替代版本,其中包含數個錯誤修正和增強功能,詳情請參閱〈參照〉中的「版本資訊」連結。安全性修正:* artemis/hornetq:因 UDP 和 JGroups 探索導致的記憶體耗盡 (CVE-2017-12174) * infinispan:插入資料快取的惡意物件的不安全還原序列化 (CVE-2017-15089) * jackson-databind:因為不完整的封鎖清單導致不安全的還原序列化 (CVE-2017-7525 的修正不完整) (CVE-2017-15095) * jackson-databind:因為不完整的封鎖清單導致不安全的還原序列化 (CVE-2017-15095 的修正不完整) (CVE-2017-17485) * resteasy:CORS 篩選器未加入 Vary 標頭,進而導致快取破壞 (CVE-2017-7561) * undertow:用戶端可在摘要式驗證中使用 bogus uri (CVE-2017-12196) * undertow:未在 AjpRequestParser 中將 ALLOW_ENCODED_SLASH 選項納入考量 (CVE-2018-1048) * jackson-databind:因為不完整的封鎖清單導致不安全的還原序列化 (CVE-2017-7525 和 CVE-2017-17485 的修正不完整) (CVE-2018-5968) 如需安全性問題的詳細資料,包括影響、CVSS 分數、致謝及其他相關資訊,請參閱〈參照〉一節列出的 CVE 頁面。解決方案
更新受影響的套件。另請參閱
http://www.nessus.org/u?9fadae4e
http://www.nessus.org/u?bf165061
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1483823
https://bugzilla.redhat.com/show_bug.cgi?id=1498378
https://bugzilla.redhat.com/show_bug.cgi?id=1503055
https://bugzilla.redhat.com/show_bug.cgi?id=1503610
https://bugzilla.redhat.com/show_bug.cgi?id=1506612
https://bugzilla.redhat.com/show_bug.cgi?id=1528565
https://bugzilla.redhat.com/show_bug.cgi?id=1534343
Plugin 詳細資訊
嚴重性: Critical
ID: 108323
檔案名稱: redhat-RHSA-2018-0479.nasl
版本: 1.7
類型: local
代理程式: unix
已發布: 2018/3/14
已更新: 2024/4/27
支援的感應器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
風險資訊
VPR
風險因素: Medium
分數: 6.7
CVSS v2
風險因素: High
基本分數: 7.5
時間分數: 5.9
媒介: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 評分資料來源: CVE-2017-17485
CVSS v3
風險因素: Critical
基本分數: 9.8
時間分數: 8.8
媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
時間媒介: CVSS:3.0/E:P/RL:O/RC:C
弱點資訊
CPE: p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-providers, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:eap7-narayana, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-bindings, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-policy, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-common, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-dom, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-policy-stax, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-stax, p-cpe:/a:redhat:enterprise_linux:eap7-xml-security, cpe:/o:redhat:enterprise_linux:6
必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
修補程式發佈日期: 2018/3/12
弱點發布日期: 2017/9/13
參考資訊
CVE: CVE-2017-12174, CVE-2017-12196, CVE-2017-15089, CVE-2017-15095, CVE-2017-17485, CVE-2017-7561, CVE-2018-1048, CVE-2018-5968