RHEL 5 / 6 : JBoss Web Server (RHSA-2015:1642)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update for Red Hat JBoss Web Server 2.1.0 that fixes two security
issues is now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the
Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat
Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and
the Tomcat Native library.

A flaw was found in the way the mod_cluster manager processed certain
MCMP messages. An attacker with access to the network from which MCMP
messages are allowed to be sent could use this flaw to execute
arbitrary JavaScript code in the mod_cluster manager web interface.
(CVE-2015-0298)

It was discovered that a JkUnmount rule for a subtree of a previous
JkMount rule could be ignored. This could allow a remote attacker to
potentially access a private artifact in a tree that would otherwise
not be accessible to them. (CVE-2014-8111)

All users of Red Hat JBoss Web Server 2.1.0 are advised to apply this
update. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-8111.html
https://www.redhat.com/security/data/cve/CVE-2015-0298.html
http://rhn.redhat.com/errata/RHSA-2015-1642.html

Solution :

Update the affected mod_cluster-native, mod_jk-ap22 and / or
mod_jk-manual packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.8
(CVSS2#E:U/RL:U/RC:UC)
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 85563 ()

Bugtraq ID:

CVE ID: CVE-2014-8111
CVE-2015-0298

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now