偵測

RHEL 6:JBoss EAP (RHSA-2013:1786)

medium Nessus Plugin ID 71225

語系:

概要

遠端 Red Hat 主機缺少一個或多個安全性更新。

說明

現已提供適用於 Red Hat Enterprise Linux 6 的更新版 Red Hat JBoss Enterprise Application Platform 6.2.0 套件,可修正兩個安全性問題、數個錯誤,並新增多個增強功能。

Red Hat 安全性回應團隊已將此更新評等為具有低安全性影響。可針對每個弱點從〈參照〉一節的 CVE 連結中取得常見弱點評分系統 (CVSS) 的基本分數,其中包含有關嚴重性評等的詳細資訊。

Red Hat JBoss Enterprise Application Platform 6 是一個以 JBoss Application Server 7 為基礎,並提供給 Java 應用程式使用的平台。

當原生程式庫隨附於 JAR 檔案中,且沒有指定自訂程式庫路徑時,HawtJNI 程式庫類別將原生程式庫寫入 /tmp/ 中可預測的檔案名稱。在 HawtJNI 寫入這些原生程式庫到它們執行前的這段時間內,本機攻擊者可以惡意的版本覆寫這些程式庫。
(CVE-2013-2035)

在 EJB invocation 處置程式實作針對 JAX-WS 服務端點執行方法層級授權的方式中發現一個瑕疵。執行 JAX-WS 處置程式時,EJB 方法宣告的任何限制都會遭到忽略,只會套用跨層級限制。授權存取 EJB 類別的遠端攻擊者,可叫用他們未獲授權叫用的 JAX-WS 處置程式。(CVE-2013-2133)

CVE-2013-2035 問題是由 Red Hat 產品安全性團隊的 Florian Weimer 所發現的; CVE-2013-2133 問題則是由 Red Hat 的 Richard Opalka 和 Arun Neelicattu 所發現的。

此版本是 JBoss Enterprise Application Platform 6.1.1 的替代版本,其中包含錯誤修正和增強功能。這些變更的相關文件近期將可從〈參照〉一節中的 JBoss Enterprise Application Platform 6.2.0 版本資訊連結中取得。

建議所有在 Red Hat Enterprise Linux 6 上使用 JBoss Enterprise Application Platform 6.1.1 的使用者皆升級至這些更新版套件。
必須重新啟動 JBoss 伺服器處理程序,此更新才會生效。

解決方案

更新受影響的套件。

另請參閱

https://access.redhat.com/documentation/en-US/

https://access.redhat.com/errata/RHSA-2013:1786

https://access.redhat.com/security/cve/cve-2013-2035

https://access.redhat.com/security/cve/cve-2013-2133

Plugin 詳細資訊

嚴重性: Medium

ID: 71225

檔案名稱: redhat-RHSA-2013-1786.nasl

版本: 1.19

類型: local

代理程式: unix

已發布: 2013/12/5

已更新: 2021/1/14

支援的感應器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

風險資訊

VPR

風險因素: Medium

分數: 6.7

CVSS v2

風險因素: Medium

基本分數: 5.5

時間分數: 4.1

媒介: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

弱點資訊

CPE: p-cpe:/a:redhat:enterprise_linux:antlr-eap6, p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils, p-cpe:/a:redhat:enterprise_linux:apache-commons-cli, p-cpe:/a:redhat:enterprise_linux:apache-commons-configuration, p-cpe:/a:redhat:enterprise_linux:apache-commons-daemon-eap6, p-cpe:/a:redhat:enterprise_linux:apache-commons-pool-eap6, p-cpe:/a:redhat:enterprise_linux:apache-cxf, p-cpe:/a:redhat:enterprise_linux:apache-cxf-xjc-utils, p-cpe:/a:redhat:enterprise_linux:apache-mime4j, p-cpe:/a:redhat:enterprise_linux:atinject-eap6, p-cpe:/a:redhat:enterprise_linux:cxf-xjc-boolean, p-cpe:/a:redhat:enterprise_linux:cxf-xjc-dv, p-cpe:/a:redhat:enterprise_linux:cxf-xjc-ts, p-cpe:/a:redhat:enterprise_linux:dom4j-eap6, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-eap6, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf-eap6, p-cpe:/a:redhat:enterprise_linux:gnu-getopt, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:hornetq-native, p-cpe:/a:redhat:enterprise_linux:httpserver, p-cpe:/a:redhat:enterprise_linux:infinispan, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:infinispan-core, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6, p-cpe:/a:redhat:enterprise_linux:jacorb-jboss, p-cpe:/a:redhat:enterprise_linux:jansi, p-cpe:/a:redhat:enterprise_linux:javassist-eap6, p-cpe:/a:redhat:enterprise_linux:jaxen, p-cpe:/a:redhat:enterprise_linux:jbosgi-metadata, p-cpe:/a:redhat:enterprise_linux:jboss-aesh, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jboss-as-console, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-dmr, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:jboss-ejb3-ext-api, p-cpe:/a:redhat:enterprise_linux:jboss-genericjms, p-cpe:/a:redhat:enterprise_linux:jboss-hal, p-cpe:/a:redhat:enterprise_linux:jboss-jacc-api_1.4_spec, p-cpe:/a:redhat:enterprise_linux:jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:jboss-marshalling, p-cpe:/a:redhat:enterprise_linux:jboss-modules, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation, p-cpe:/a:redhat:enterprise_linux:jboss-security-xacml, p-cpe:/a:redhat:enterprise_linux:jboss-threads, p-cpe:/a:redhat:enterprise_linux:jboss-vfs2, p-cpe:/a:redhat:enterprise_linux:jboss-weld-1.1-api, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jbossas-hornetq-native, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jbossws-api, p-cpe:/a:redhat:enterprise_linux:jbossws-common, p-cpe:/a:redhat:enterprise_linux:jbossws-common-tools, p-cpe:/a:redhat:enterprise_linux:jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:jbossws-native, p-cpe:/a:redhat:enterprise_linux:jbossws-spi, p-cpe:/a:redhat:enterprise_linux:jcip-annotations-eap6, p-cpe:/a:redhat:enterprise_linux:jdom-eap6, p-cpe:/a:redhat:enterprise_linux:jettison, p-cpe:/a:redhat:enterprise_linux:jgroups, p-cpe:/a:redhat:enterprise_linux:juddi, p-cpe:/a:redhat:enterprise_linux:mod_cluster, p-cpe:/a:redhat:enterprise_linux:mod_cluster-demo, p-cpe:/a:redhat:enterprise_linux:mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:mod_jk-ap22, p-cpe:/a:redhat:enterprise_linux:objectweb-asm-eap6, p-cpe:/a:redhat:enterprise_linux:opensaml, p-cpe:/a:redhat:enterprise_linux:openws, p-cpe:/a:redhat:enterprise_linux:org.apache.felix.configadmin, p-cpe:/a:redhat:enterprise_linux:org.apache.felix.log, p-cpe:/a:redhat:enterprise_linux:org.osgi.core-eap6, p-cpe:/a:redhat:enterprise_linux:org.osgi.enterprise-eap6, p-cpe:/a:redhat:enterprise_linux:picketbox, p-cpe:/a:redhat:enterprise_linux:picketlink-federation, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:scannotation, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-api, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-impl-base, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-parent, p-cpe:/a:redhat:enterprise_linux:shrinkwrap-spi, p-cpe:/a:redhat:enterprise_linux:slf4j-eap6, p-cpe:/a:redhat:enterprise_linux:stilts, p-cpe:/a:redhat:enterprise_linux:sun-ws-metadata-2.0-api, p-cpe:/a:redhat:enterprise_linux:velocity-eap6, p-cpe:/a:redhat:enterprise_linux:weld-cdi-1.0-api, p-cpe:/a:redhat:enterprise_linux:weld-core, p-cpe:/a:redhat:enterprise_linux:ws-commons-xmlschema, p-cpe:/a:redhat:enterprise_linux:ws-commons-neethi, p-cpe:/a:redhat:enterprise_linux:ws-scout, p-cpe:/a:redhat:enterprise_linux:wsdl4j-eap6, p-cpe:/a:redhat:enterprise_linux:wss4j, p-cpe:/a:redhat:enterprise_linux:xerces-j2-eap6, p-cpe:/a:redhat:enterprise_linux:xjc-utils, p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver-eap6, p-cpe:/a:redhat:enterprise_linux:xml-security, p-cpe:/a:redhat:enterprise_linux:xmltooling, p-cpe:/a:redhat:enterprise_linux:xom, cpe:/o:redhat:enterprise_linux:6

必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

可輕鬆利用: No known exploits are available

修補程式發佈日期: 2013/12/4

弱點發布日期: 2013/8/28

參考資訊

CVE: CVE-2013-2035, CVE-2013-2133

RHSA: 2013:1786