RHEL 7:Red Hat JBoss 企業應用程式平台 7.4.6 安全性更新 (中等) (RHSA-2022: 5892)

critical Nessus Plugin ID 163796

Synopsis

遠端 Red Hat 主機缺少一個或多個安全性更新。

描述

遠端 Redhat Enterprise Linux 7 主機上安裝的多個套件受到 RHSA-2022: 5892 公告中提及多個弱點影響。

- minimist:原型污染 (CVE-2021-44906)

- netty:任何人皆可讀取包含敏感資料的暫存檔 (CVE-2022-24823)

- com.google.code.gson-gson:com.google.code.gson-gson 對未受信任的資料執行反序列化 (CVE-2022-25647)

請注意,Nessus 並未測試這些問題,而是僅依據應用程式自我報告的版本號碼作出判斷。

解決方案

更新受影響的套件。

另請參閱

https://access.redhat.com/security/cve/CVE-2021-44906

https://access.redhat.com/security/cve/CVE-2022-24823

https://access.redhat.com/security/cve/CVE-2022-25647

https://access.redhat.com/errata/RHSA-2022:5892

https://bugzilla.redhat.com/2066009

https://bugzilla.redhat.com/2080850

https://bugzilla.redhat.com/2087186

Plugin 詳細資訊

嚴重性: Critical

ID: 163796

檔案名稱: redhat-RHSA-2022-5892.nasl

版本: 1.6

類型: local

代理程式: unix

已發布: 2022/8/4

已更新: 2023/1/23

支持的傳感器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

風險資訊

VPR

風險因素: Medium

分數: 6.7

CVSS v2

風險因素: High

基本分數: 7.5

時間分數: 5.5

媒介: AV:N/AC:L/Au:N/C:P/I:P/A:P

時間媒介: E:U/RL:OF/RC:C

CVSS 評分資料來源: CVE-2021-44906

CVSS v3

風險因素: Critical

基本分數: 9.8

時間分數: 8.5

媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

時間媒介: E:U/RL:O/RC:C

弱點資訊

CPE: cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf, p-cpe:/a:redhat:enterprise_linux:eap7-gson, p-cpe:/a:redhat:enterprise_linux:eap7-hal-console, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind, p-cpe:/a:redhat:enterprise_linux:eap7-jandex, p-cpe:/a:redhat:enterprise_linux:eap7-jberet, p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core, p-cpe:/a:redhat:enterprise_linux:eap7-netty, p-cpe:/a:redhat:enterprise_linux:eap7-netty-all, p-cpe:/a:redhat:enterprise_linux:eap7-netty-buffer, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-dns, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-haproxy, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-http, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-http2, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-memcache, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-mqtt, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-redis, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-smtp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-socks, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-stomp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-xml, p-cpe:/a:redhat:enterprise_linux:eap7-netty-common, p-cpe:/a:redhat:enterprise_linux:eap7-netty-handler, p-cpe:/a:redhat:enterprise_linux:eap7-netty-handler-proxy, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver-dns, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver-dns-classes-macos, p-cpe:/a:redhat:enterprise_linux:eap7-netty-tcnative, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-classes-epoll, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-classes-kqueue, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-native-epoll, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-native-unix-common, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-rxtx, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-sctp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-udt, p-cpe:/a:redhat:enterprise_linux:eap7-picketbox, p-cpe:/a:redhat:enterprise_linux:eap7-picketbox-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-el7-x86_64, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java

必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

可輕鬆利用: No known exploits are available

修補程式發佈日期: 2022/8/3

弱點發布日期: 2022/3/17

參考資訊

CVE: CVE-2021-44906, CVE-2022-24823, CVE-2022-25647

RHSA: 2022:5892

CWE: 200, 378, 379, 400, 502, 1321