RHEL 6:Red Hat JBoss Enterprise Application Platform 7.3.2 (RHSA-2020: 3461)
critical Nessus Plugin ID 139618
語系:
概要
遠端 Red Hat 主機缺少一個或多個安全性更新。說明
遠端 Redhat Enterprise Linux 6 主機上安裝的套件受到 RHSA-2020: 3461 公告中提及的多個弱點影響。- hibernate:Hibernate ORM 中的 SQL 注入攻擊問題 (CVE-2019-14900)
- jackson-databind:未正確處理序列化小工具與類型之間的互動,可能導致遠端命令執行 (CVE-2020-10672、CVE-2020-10673)
- dom4j:預設 SAX 剖析器中的 XML 外部實體弱點 (CVE-2020-10683)
- Undertow:由於允許 HTTP 要求中存在無效字元,導致未能完整修復 CVE-2017-2666 (CVE-2020-10687)
- hibernate-validator:插入限制錯誤訊息時未正確驗證輸入 (CVE-2020-10693)
- wildfly-elytron:使用 FORM 驗證時的工作階段固定 (CVE-2020-10714)
- wildfly:透過 EmbeddedManagedProcess API 洩漏了 TCCL 設定 (CVE-2020-10718)
- wildfly:Wildfly Enterprise Java Beans 中存在不安全的還原序列化 (CVE-2020-10740)
- netty:壓縮/解壓縮轉碼器未強制執行緩衝區配置大小限制 (CVE-2020-11612)
- wildfly:某些 EJB 交易物件可能累積,從而造成拒絕服務 (CVE-2020-14297)
- wildfly:收到回應後,可能無法正確移除 EJB SessionOpenInvocations,進而造成拒絕服務 (CVE-2020-14307)
- EAP:未依照 RFC7230 剖析欄位名稱 (CVE-2020-1710)
- wildfly:使用替代保護網域時,WildFlySecurityManager 中存在不當授權問題 (CVE-2020-1748)
請注意,Nessus 並未測試這些問題,而是僅依據應用程式自我報告的版本號碼作出判斷。
解決方案
更新受影響的套件。另請參閱
http://www.nessus.org/u?34e23b20
http://www.nessus.org/u?39676da8
http://www.nessus.org/u?eae4911f
https://access.redhat.com/errata/RHSA-2020:3461
https://bugzilla.redhat.com/show_bug.cgi?id=1666499
https://bugzilla.redhat.com/show_bug.cgi?id=1694235
https://bugzilla.redhat.com/show_bug.cgi?id=1785049
https://bugzilla.redhat.com/show_bug.cgi?id=1793970
https://bugzilla.redhat.com/show_bug.cgi?id=1805501
https://bugzilla.redhat.com/show_bug.cgi?id=1807707
https://bugzilla.redhat.com/show_bug.cgi?id=1815470
https://bugzilla.redhat.com/show_bug.cgi?id=1815495
https://bugzilla.redhat.com/show_bug.cgi?id=1825714
https://bugzilla.redhat.com/show_bug.cgi?id=1828476
https://bugzilla.redhat.com/show_bug.cgi?id=1834512
https://bugzilla.redhat.com/show_bug.cgi?id=1853595
https://issues.redhat.com/browse/JBEAP-19095
https://issues.redhat.com/browse/JBEAP-19134
https://issues.redhat.com/browse/JBEAP-19185
https://issues.redhat.com/browse/JBEAP-19203
https://issues.redhat.com/browse/JBEAP-19269
https://issues.redhat.com/browse/JBEAP-19322
https://issues.redhat.com/browse/JBEAP-19325
https://issues.redhat.com/browse/JBEAP-19397
https://issues.redhat.com/browse/JBEAP-19409
https://issues.redhat.com/browse/JBEAP-19529
https://issues.redhat.com/browse/JBEAP-19564
https://issues.redhat.com/browse/JBEAP-19585
https://issues.redhat.com/browse/JBEAP-19617
https://issues.redhat.com/browse/JBEAP-19619
https://issues.redhat.com/browse/JBEAP-19673
https://issues.redhat.com/browse/JBEAP-19674
https://issues.redhat.com/browse/JBEAP-19874
https://access.redhat.com/security/updates/classification/#important
Plugin 詳細資訊
嚴重性: Critical
ID: 139618
檔案名稱: redhat-RHSA-2020-3461.nasl
版本: 1.9
類型: local
代理程式: unix
已發布: 2020/8/17
已更新: 2024/4/28
支援的感應器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
風險資訊
VPR
風險因素: Medium
分數: 6.7
CVSS v2
風險因素: High
基本分數: 7.5
時間分數: 5.5
媒介: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 評分資料來源: CVE-2020-10683
CVSS v3
風險因素: Critical
基本分數: 9.8
時間分數: 8.5
媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
時間媒介: CVSS:3.0/E:U/RL:O/RC:C
弱點資訊
CPE: cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:eap7-dom4j, p-cpe:/a:redhat:enterprise_linux:eap7-elytron-web, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf, p-cpe:/a:redhat:enterprise_linux:eap7-hal-console, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-commons, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-spi, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-v53, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-providers, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-genericjms, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly15.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly16.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly17.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly18.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base, p-cpe:/a:redhat:enterprise_linux:eap7-netty, p-cpe:/a:redhat:enterprise_linux:eap7-netty-all, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-undertow-server, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-common, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules
必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可輕鬆利用: No known exploits are available
修補程式發佈日期: 2020/8/17
弱點發布日期: 2020/3/18
參考資訊
CVE: CVE-2019-14900, CVE-2020-10672, CVE-2020-10673, CVE-2020-10683, CVE-2020-10687, CVE-2020-10693, CVE-2020-10714, CVE-2020-10718, CVE-2020-10740, CVE-2020-11612, CVE-2020-14297, CVE-2020-14307, CVE-2020-1710, CVE-2020-1748