RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1222 advisory.

  - RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack (CVE-2016-6346)

  - pulp: Improper path parsing leads to overwriting of iso repositories (CVE-2018-10917)

  - foreman: Persisted XSS on all pages that use breadcrumbs (CVE-2018-14664)

  - foreman: stored XSS in success notification after entity creation (CVE-2018-16861)

  - katello: stored XSS in subscriptions and repositories pages (CVE-2018-16887)

  - candlepin: credentials exposure through log files (CVE-2019-3891)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release of Red Hat JBoss Enterprise Application Platform 6.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.13, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es) :

* It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657)

* It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056)

* It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346)

Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0004 advisory.

  - RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack (CVE-2016-6346)

  - undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666) (CVE-2017-7559)

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - undertow: improper whitespace parsing leading to potential HTTP request smuggling (CVE-2017-12165)

  - EAP-7: Wrong privileges on multiple property files (CVE-2017-12167)

  - jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for     CVE-2016-8656) (CVE-2017-12189)

  - Solr: Code execution via entity expansion (CVE-2017-12629)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0002 advisory.

  - RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack (CVE-2016-6346)

  - undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666) (CVE-2017-7559)

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - undertow: improper whitespace parsing leading to potential HTTP request smuggling (CVE-2017-12165)

  - EAP-7: Wrong privileges on multiple property files (CVE-2017-12167)

  - jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for     CVE-2016-8656) (CVE-2017-12189)

  - Solr: Code execution via entity expansion (CVE-2017-12629)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0005 advisory.

  - RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack (CVE-2016-6346)

  - undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666) (CVE-2017-7559)

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - undertow: improper whitespace parsing leading to potential HTTP request smuggling (CVE-2017-12165)

  - EAP-7: Wrong privileges on multiple property files (CVE-2017-12167)

  - jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for     CVE-2016-8656) (CVE-2017-12189)

  - Solr: Code execution via entity expansion (CVE-2017-12629)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release of Red Hat JBoss Enterprise Application Platform 6.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.13, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es) :

* It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657)

* It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056)

* It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346)

Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue.

An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release of Red Hat JBoss Enterprise Application Platform 6.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.13, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es) :

* It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657)

* It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056)

* It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346)

Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue.

An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.14.

Security Fix(es) :

* It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657)

* It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056)

* It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346)

Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue.

ID	Name	Product	Family	Severity
125052	RHEL 7 : Satellite 6.5 Release (Moderate) (RHSA-2019:1222)	Nessus	Red Hat Local Security Checks	high
112253	RHEL 7 : JBoss EAP (RHSA-2017:0828)	Nessus	Red Hat Local Security Checks	high
105560	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 7 (Important) (RHSA-2018:0004)	Nessus	Red Hat Local Security Checks	critical
105559	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 6 (Important) (RHSA-2018:0002)	Nessus	Red Hat Local Security Checks	critical
105522	RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2018:0005)	Nessus	Red Hat Local Security Checks	critical
97933	RHEL 6 : JBoss EAP (RHSA-2017:0827)	Nessus	Red Hat Local Security Checks	high
97932	RHEL 5 : JBoss EAP (RHSA-2017:0826)	Nessus	Red Hat Local Security Checks	high
97909	RHEL 6 : jboss-ec2-eap (RHSA-2017:0829)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2016-6346

high

Tenable Plugins

high

high

critical

critical

critical

high

high

high