The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0481 advisory.

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 6 / 7 : jboss-ec2-eap package for EAP 7.1.1 (Important) (RHSA-2018:0481)

critical Nessus Plugin ID 108325

Version 1.7