偵測

RHEL 7:JBoss EAP (RHSA-2016:0123)

high Nessus Plugin ID 112242

語系:

概要

遠端 Red Hat 主機缺少一個或多個安全性更新。

說明

現已提供適用於 Red Hat Enterprise Linux 7 的更新版套件,內含 Red Hat JBoss Enterprise Application Platform 6.4.6、修正數個錯誤、新增數項增強功能並解決一個安全性問題。Red Hat 產品安全性團隊已將此更新評等為具有重要安全性影響。可從〈參照〉一節的 CVE 連結中取得常見弱點評分系統 (CVSS) 的基本分數,其中包含有關嚴重性評等的詳細資訊。Red Hat JBoss Enterprise Application Platform 6 是一個以 JBoss Application Server 7 為基礎,並提供給 Java 應用程式使用的平台。此版本已解決以下安全性問題:據發現,Java Standard Tag Library (JSTL) 允許處理不受信任的 XML 文件以利用外部實體參照,導致可存取主機系統上的資源,並可能導致任意程式碼執行。(CVE-2015-0254) 注意:Tag Library 使用者在套用此更新後,必須採取額外步驟。可在以下網址找到額外步驟的詳細指示:https://access.redhat.com/solutions/1584363 Red Hat 感謝 IIX 的 David Jorm 和 Apache Software Foundation 報告 CVE-2015-0254 缺陷。此版本將作為 Red Hat JBoss Enterprise Application Platform 6.4.5 的取代套件,其中包含錯誤修正和增強功能。這些變更的相關文件近期將可從〈參照〉一節中的 Red Hat JBoss Enterprise Application Platform 6.4.6 版本資訊連結中取得。建議所有在 Red Hat Enterprise Linux 7 中使用 Red Hat JBoss Enterprise Application Platform 6.4 的使用者皆升級至這些更新版套件。必須重新啟動 JBoss 伺服器處理程序,此更新才會生效。

解決方案

更新受影響的套件。

另請參閱

https://access.redhat.com/errata/RHSA-2016:0123

https://access.redhat.com/security/cve/cve-2015-0254

Plugin 詳細資訊

嚴重性: High

ID: 112242

檔案名稱: redhat-RHSA-2016-0123.nasl

版本: 1.5

類型: local

代理程式: unix

已發布: 2018/9/4

已更新: 2019/10/24

支援的感應器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

風險資訊

VPR

風險因素: Medium

分數: 4.7

CVSS v2

風險因素: High

基本分數: 7.5

媒介: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

弱點資訊

CPE: p-cpe:/a:redhat:enterprise_linux:apache-cxf, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-validator, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:httpserver, p-cpe:/a:redhat:enterprise_linux:infinispan, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:infinispan-core, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-jstl-api_1.2_spec, p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:jgroups, p-cpe:/a:redhat:enterprise_linux:wss4j, p-cpe:/a:redhat:enterprise_linux:xml-security, cpe:/o:redhat:enterprise_linux:7

必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

修補程式發佈日期: 2016/2/4

弱點發布日期: 2015/3/9

參考資訊

CVE: CVE-2015-0254

RHSA: 2016:0123