RHEL 7Red Hat JBoss Enterprise Application Platform 6.4.0 更新 (重要) (RHSA-2015:0848)
high Nessus Plugin ID 112239
語言:
概要
遠端 Red Hat 主機缺少一個或多個安全性更新。說明
遠端 Redhat Enterprise Linux 7 主機上安裝的套件受到 RHSA-2015:0848 公告中提及的多個弱點影響。Red Hat JBoss Enterprise Application Platform 6 是一個以 JBoss Application Server 7 為基礎,並提供給 Java 應用程式使用的平台。
據發現,Apache WSS4J 之前對於 Bleichenbache 向 XML 加密發動的攻擊 (CVE-2011-2487) 所提出的對策會擲回例外狀況,這會允許攻擊者將所嘗試之攻擊判定為失敗,從而導致 WSS4J 容易受到攻擊。
原始瑕疵允許遠端攻擊者完整復原純文字對稱金鑰。 (CVE-2015-0226)
在 PicketLink 的服務提供者和身分識別提供者處理某些要求的方式中,發現缺陷。遠端攻擊者可利用此瑕疵透過 PicketLink 登入受害者的帳戶。 (CVE-2015-0277)
據發現,舊版 JkMount 規則的樹狀子目錄 JkUnmount 規則可能會遭到忽略。這可能允許遠端攻擊者存取樹狀結構中他們無法存取的私密成品。 (CVE-2014-8111)
據發現,Apache WSS4J 會允許透過 XML 簽章封裝攻擊,繞過 requireSignedEncryptedDataElements 組態屬性。遠端攻擊者可利用此瑕疵修改已簽署要求的內容。 (CVE-2015-0227)
據發現,Red Hat Enterprise Application Platform 提供的命令列介面會在使用者的主目錄中,以不安全的預設檔案權限,建立名稱為 .jboss-cli-history 的歷程記錄檔。這可允許惡意本機使用者取得他們原本無法存取的資訊。 (CVE-2014-3586)
CVE-2015-0277 問題是由 Red Hat 的 Ondrej Kotek 發現。
此 JBoss Enterprise Application Platform 版本也包含錯誤修正及增強功能。這些變更的相關文件近期將可從〈參照〉一節中的 JBoss Enterprise Application Platform 6.4.0 版本資訊連結中取得。
建議所有在 Red Hat Enterprise Linux 7 中需要 JBoss Enterprise Application Platform 6.4.0 的使用者皆安裝這些新套件。必須重新啟動 JBoss 伺服器處理程序,此更新才會生效。
Tenable 已直接從 Red Hat Enterprise Linux 安全公告擷取前置描述區塊。
請注意,Nessus 並未測試這些問題,而是僅依據應用程式自我報告的版本號碼作出判斷。
解決方案
更新受影響的套件。另請參閱
http://www.nessus.org/u?5f636a44
http://www.nessus.org/u?8e416bf1
https://access.redhat.com/errata/RHSA-2015:0848
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1126687
https://bugzilla.redhat.com/show_bug.cgi?id=1155446
https://bugzilla.redhat.com/show_bug.cgi?id=1158979
https://bugzilla.redhat.com/show_bug.cgi?id=1165221
https://bugzilla.redhat.com/show_bug.cgi?id=1165229
https://bugzilla.redhat.com/show_bug.cgi?id=1166456
https://bugzilla.redhat.com/show_bug.cgi?id=1166746
https://bugzilla.redhat.com/show_bug.cgi?id=1167398
https://bugzilla.redhat.com/show_bug.cgi?id=1167920
https://bugzilla.redhat.com/show_bug.cgi?id=1167927
https://bugzilla.redhat.com/show_bug.cgi?id=1179791
https://bugzilla.redhat.com/show_bug.cgi?id=1179831
https://bugzilla.redhat.com/show_bug.cgi?id=1179838
https://bugzilla.redhat.com/show_bug.cgi?id=1179845
https://bugzilla.redhat.com/show_bug.cgi?id=1179848
https://bugzilla.redhat.com/show_bug.cgi?id=1182591
https://bugzilla.redhat.com/show_bug.cgi?id=1182975
https://bugzilla.redhat.com/show_bug.cgi?id=1182981
https://bugzilla.redhat.com/show_bug.cgi?id=1182985
https://bugzilla.redhat.com/show_bug.cgi?id=1182991
https://bugzilla.redhat.com/show_bug.cgi?id=1182995
https://bugzilla.redhat.com/show_bug.cgi?id=1182997
https://bugzilla.redhat.com/show_bug.cgi?id=1183000
https://bugzilla.redhat.com/show_bug.cgi?id=1188724
https://bugzilla.redhat.com/show_bug.cgi?id=1188727
https://bugzilla.redhat.com/show_bug.cgi?id=1188731
https://bugzilla.redhat.com/show_bug.cgi?id=1188736
https://bugzilla.redhat.com/show_bug.cgi?id=1188939
https://bugzilla.redhat.com/show_bug.cgi?id=1188946
https://bugzilla.redhat.com/show_bug.cgi?id=1188953
https://bugzilla.redhat.com/show_bug.cgi?id=1188959
https://bugzilla.redhat.com/show_bug.cgi?id=1188967
https://bugzilla.redhat.com/show_bug.cgi?id=1188978
https://bugzilla.redhat.com/show_bug.cgi?id=1188985
https://bugzilla.redhat.com/show_bug.cgi?id=1188988
https://bugzilla.redhat.com/show_bug.cgi?id=1188991
https://bugzilla.redhat.com/show_bug.cgi?id=1188994
https://bugzilla.redhat.com/show_bug.cgi?id=1191446
https://bugzilla.redhat.com/show_bug.cgi?id=1191451
https://bugzilla.redhat.com/show_bug.cgi?id=1194832
https://bugzilla.redhat.com/show_bug.cgi?id=1195910
https://bugzilla.redhat.com/show_bug.cgi?id=1195914
https://bugzilla.redhat.com/show_bug.cgi?id=1195918
https://bugzilla.redhat.com/show_bug.cgi?id=1195923
https://bugzilla.redhat.com/show_bug.cgi?id=1195926
https://bugzilla.redhat.com/show_bug.cgi?id=1195929
https://bugzilla.redhat.com/show_bug.cgi?id=1195932
https://bugzilla.redhat.com/show_bug.cgi?id=1195935
https://bugzilla.redhat.com/show_bug.cgi?id=1195938
https://bugzilla.redhat.com/show_bug.cgi?id=1195943
Plugin 詳細資訊
嚴重性: High
ID: 112239
檔案名稱: redhat-RHSA-2015-0848.nasl
版本: 1.8
類型: local
代理程式: unix
已發布: 2018/9/4
已更新: 2025/4/29
支援的感應器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
風險資訊
VPR
風險因素: Medium
分數: 5.9
Vendor
Vendor Severity: Important
CVSS v2
風險因素: Medium
基本分數: 6
時間性分數: 4.4
媒介: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS 評分資料來源: CVE-2015-6254
CVSS v3
風險因素: High
基本分數: 7.5
時間性分數: 6.5
媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
時間媒介: CVSS:3.0/E:U/RL:O/RC:C
CVSS 評分資料來源: CVE-2015-0226
弱點資訊
CPE: p-cpe:/a:redhat:enterprise_linux:eap6-avro, p-cpe:/a:redhat:enterprise_linux:eap6-rngom, p-cpe:/a:redhat:enterprise_linux:httpcomponents-client-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaspi-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ear, p-cpe:/a:redhat:enterprise_linux:infinispan-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jcip-annotations-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-modules, p-cpe:/a:redhat:enterprise_linux:mod_cluster-demo, p-cpe:/a:redhat:enterprise_linux:jboss-logging, p-cpe:/a:redhat:enterprise_linux:sun-ws-metadata-2.0-api, p-cpe:/a:redhat:enterprise_linux:apache-commons-daemon-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, p-cpe:/a:redhat:enterprise_linux:picketlink-bindings, p-cpe:/a:redhat:enterprise_linux:jboss-rmi-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:apache-commons-lang-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-servlet-api_3.0_spec, p-cpe:/a:redhat:enterprise_linux:org.osgi.enterprise-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-osgi-logging, p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:httpd22-tools, p-cpe:/a:redhat:enterprise_linux:httpd22-manual, p-cpe:/a:redhat:enterprise_linux:apache-commons-pool-eap6, p-cpe:/a:redhat:enterprise_linux:tomcat-native, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:picketbox, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6, p-cpe:/a:redhat:enterprise_linux:org.osgi.core-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:objectweb-asm-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-annotations-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:apache-mime4j, p-cpe:/a:redhat:enterprise_linux:httpd22, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:jbosgi-vfs, p-cpe:/a:redhat:enterprise_linux:jboss-servlet-api_2.5_spec, p-cpe:/a:redhat:enterprise_linux:httpcomponents-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-jms-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jbosgi-deployment, p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-j2eemgmt-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-aesh, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:glassfish-jaf, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-common, p-cpe:/a:redhat:enterprise_linux:jboss-threads, p-cpe:/a:redhat:enterprise_linux:jbosgi-repository, p-cpe:/a:redhat:enterprise_linux:sun-codemodel, p-cpe:/a:redhat:enterprise_linux:apache-commons-io-eap6, p-cpe:/a:redhat:enterprise_linux:eap6-jandex, p-cpe:/a:redhat:enterprise_linux:relaxngdatatype-eap6, p-cpe:/a:redhat:enterprise_linux:staxmapper, p-cpe:/a:redhat:enterprise_linux:log4j-jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:jboss-jsp-api_2.2_spec, p-cpe:/a:redhat:enterprise_linux:eap6-jansi, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:mod_rt, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jbossweb, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:mod_ssl22, p-cpe:/a:redhat:enterprise_linux:glassfish-javamail, p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:httpmime-eap6, p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-classfilewriter, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:jboss-weld-1.1-api, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-jaxrs, p-cpe:/a:redhat:enterprise_linux:jbossas-hornetq-native, p-cpe:/a:redhat:enterprise_linux:eap6-cal10n, p-cpe:/a:redhat:enterprise_linux:jboss-common-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:lucene-solr, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-appclient, p-cpe:/a:redhat:enterprise_linux:hibernate4-validator, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-metadata, p-cpe:/a:redhat:enterprise_linux:jboss-iiop-client, p-cpe:/a:redhat:enterprise_linux:jboss-interceptors-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:eap6-apache-commons-cli, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-transaction-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:weld-cdi-1.0-api, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-connector-api_1.6_spec, p-cpe:/a:redhat:enterprise_linux:hibernate-beanvalidation-api, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-vfs2, p-cpe:/a:redhat:enterprise_linux:mod_snmp, p-cpe:/a:redhat:enterprise_linux:jbosgi-metadata, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-web, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:sun-txw2, p-cpe:/a:redhat:enterprise_linux:jboss-jad-api_1.2_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:hornetq-native, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxrpc-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:jboss-common-beans, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:infinispan, p-cpe:/a:redhat:enterprise_linux:jul-to-slf4j-stub, p-cpe:/a:redhat:enterprise_linux:jbosgi-spi, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-api_3.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:picketbox-commons, p-cpe:/a:redhat:enterprise_linux:httpclient-eap6, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming, p-cpe:/a:redhat:enterprise_linux:httpserver, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:eap6-snakeyaml, p-cpe:/a:redhat:enterprise_linux:httpcomponents-core-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:sun-xsom, p-cpe:/a:redhat:enterprise_linux:jboss-dmr, p-cpe:/a:redhat:enterprise_linux:jbossxb2, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:httpcore-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ejb, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-mapper-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:jbosgi-resolver, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:jdom-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxb-api_2.2_spec, p-cpe:/a:redhat:enterprise_linux:hibernate-jpa-2.0-api, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-genericjms, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:httpcomponents-project-eap6, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf12-eap6, p-cpe:/a:redhat:enterprise_linux:eap6-apache-commons-configuration, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-core-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-console, p-cpe:/a:redhat:enterprise_linux:mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:picketlink-federation, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jboss-hal, p-cpe:/a:redhat:enterprise_linux:jbossas-jbossweb-native, p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink, p-cpe:/a:redhat:enterprise_linux:mod_cluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:velocity-eap6, p-cpe:/a:redhat:enterprise_linux:atinject-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxr-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jbosgi-framework-core, p-cpe:/a:redhat:enterprise_linux:hibernate4-search, p-cpe:/a:redhat:enterprise_linux:eap6-joda-time, p-cpe:/a:redhat:enterprise_linux:eap6-apache-commons-codec, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf-eap6, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:eap6-ecj, p-cpe:/a:redhat:enterprise_linux:infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-seam-int, p-cpe:/a:redhat:enterprise_linux:javassist-eap6, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:httpd22-devel, p-cpe:/a:redhat:enterprise_linux:mod_jk-ap22, p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:jboss-sasl, p-cpe:/a:redhat:enterprise_linux:hibernate3-commons-annotations, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxrs-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-xc, p-cpe:/a:redhat:enterprise_linux:mod_jk
必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可輕鬆利用: No known exploits are available
修補程式發佈日期: 2015/4/16
弱點發布日期: 2015/2/12
參考資訊
CVE: CVE-2014-3586, CVE-2014-8111, CVE-2015-0226, CVE-2015-0227, CVE-2015-0277, CVE-2015-0298, CVE-2015-6254