Detections
Analytics
RHEL 7 : Red Hat JBoss Enterprise Application Platform 6.4.0 update (Important) (RHSA-2015:0848)
high Nessus Plugin ID 112239
Language:
Synopsis
The remote Red Hat host is missing one or more security updates.Description
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:0848 advisory.Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.
It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack.
The original flaw allowed a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2015-0226)
A flaw was found in the way PicketLink's Service Provider and Identity Provider handled certain requests. A remote attacker could use this flaw to log to a victim's account via PicketLink. (CVE-2015-0277)
It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. (CVE-2014-8111)
It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request. (CVE-2015-0227)
It was found that the Command Line Interface, as provided by Red Hat Enterprise Application Platform, created a history file named .jboss-cli-history in the user's home directory with insecure default file permissions. This could allow a malicious local user to gain information otherwise not accessible to them. (CVE-2014-3586)
The CVE-2015-0277 issue was discovered by Ondrej Kotek of Red Hat.
This release of JBoss Enterprise Application Platform also includes bug fixes and enhancements. Documentation for these changes will be available shortly from the JBoss Enterprise Application Platform 6.4.0 Release Notes, linked to in the References.
All users who require JBoss Enterprise Application Platform 6.4.0 on Red Hat Enterprise Linux 7 should install these new packages. The JBoss server process must be restarted for the update to take effect.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
http://www.nessus.org/u?5f636a44
http://www.nessus.org/u?8e416bf1
https://access.redhat.com/errata/RHSA-2015:0848
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1126687
https://bugzilla.redhat.com/show_bug.cgi?id=1155446
https://bugzilla.redhat.com/show_bug.cgi?id=1158979
https://bugzilla.redhat.com/show_bug.cgi?id=1165221
https://bugzilla.redhat.com/show_bug.cgi?id=1165229
https://bugzilla.redhat.com/show_bug.cgi?id=1166456
https://bugzilla.redhat.com/show_bug.cgi?id=1166746
https://bugzilla.redhat.com/show_bug.cgi?id=1167398
https://bugzilla.redhat.com/show_bug.cgi?id=1167920
https://bugzilla.redhat.com/show_bug.cgi?id=1167927
https://bugzilla.redhat.com/show_bug.cgi?id=1179791
https://bugzilla.redhat.com/show_bug.cgi?id=1179831
https://bugzilla.redhat.com/show_bug.cgi?id=1179838
https://bugzilla.redhat.com/show_bug.cgi?id=1179845
https://bugzilla.redhat.com/show_bug.cgi?id=1179848
https://bugzilla.redhat.com/show_bug.cgi?id=1182591
https://bugzilla.redhat.com/show_bug.cgi?id=1182975
https://bugzilla.redhat.com/show_bug.cgi?id=1182981
https://bugzilla.redhat.com/show_bug.cgi?id=1182985
https://bugzilla.redhat.com/show_bug.cgi?id=1182991
https://bugzilla.redhat.com/show_bug.cgi?id=1182995
https://bugzilla.redhat.com/show_bug.cgi?id=1182997
https://bugzilla.redhat.com/show_bug.cgi?id=1183000
https://bugzilla.redhat.com/show_bug.cgi?id=1188724
https://bugzilla.redhat.com/show_bug.cgi?id=1188727
https://bugzilla.redhat.com/show_bug.cgi?id=1188731
https://bugzilla.redhat.com/show_bug.cgi?id=1188736
https://bugzilla.redhat.com/show_bug.cgi?id=1188939
https://bugzilla.redhat.com/show_bug.cgi?id=1188946
https://bugzilla.redhat.com/show_bug.cgi?id=1188953
https://bugzilla.redhat.com/show_bug.cgi?id=1188959
https://bugzilla.redhat.com/show_bug.cgi?id=1188967
https://bugzilla.redhat.com/show_bug.cgi?id=1188978
https://bugzilla.redhat.com/show_bug.cgi?id=1188985
https://bugzilla.redhat.com/show_bug.cgi?id=1188988
https://bugzilla.redhat.com/show_bug.cgi?id=1188991
https://bugzilla.redhat.com/show_bug.cgi?id=1188994
https://bugzilla.redhat.com/show_bug.cgi?id=1191446
https://bugzilla.redhat.com/show_bug.cgi?id=1191451
https://bugzilla.redhat.com/show_bug.cgi?id=1194832
https://bugzilla.redhat.com/show_bug.cgi?id=1195910
https://bugzilla.redhat.com/show_bug.cgi?id=1195914
https://bugzilla.redhat.com/show_bug.cgi?id=1195918
https://bugzilla.redhat.com/show_bug.cgi?id=1195923
https://bugzilla.redhat.com/show_bug.cgi?id=1195926
https://bugzilla.redhat.com/show_bug.cgi?id=1195929
https://bugzilla.redhat.com/show_bug.cgi?id=1195932
https://bugzilla.redhat.com/show_bug.cgi?id=1195935
https://bugzilla.redhat.com/show_bug.cgi?id=1195938
https://bugzilla.redhat.com/show_bug.cgi?id=1195943
Plugin Details
Severity: High
ID: 112239
File Name: redhat-RHSA-2015-0848.nasl
Version: 1.8
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 9/4/2018
Updated: 4/29/2025
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
Vendor
Vendor Severity: Important
CVSS v2
Risk Factor: Medium
Base Score: 6
Temporal Score: 4.4
Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS Score Source: CVE-2015-6254
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS Score Source: CVE-2015-0226
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:eap6-avro, p-cpe:/a:redhat:enterprise_linux:eap6-rngom, p-cpe:/a:redhat:enterprise_linux:httpcomponents-client-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaspi-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:picketlink-bindings, p-cpe:/a:redhat:enterprise_linux:jboss-rmi-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:apache-commons-lang-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-servlet-api_3.0_spec, p-cpe:/a:redhat:enterprise_linux:org.osgi.enterprise-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-osgi-logging, p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:httpd22-tools, p-cpe:/a:redhat:enterprise_linux:httpd22-manual, p-cpe:/a:redhat:enterprise_linux:apache-commons-pool-eap6, p-cpe:/a:redhat:enterprise_linux:tomcat-native, p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-j2eemgmt-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-aesh, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:glassfish-jaf, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ear, p-cpe:/a:redhat:enterprise_linux:infinispan-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jcip-annotations-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-modules, p-cpe:/a:redhat:enterprise_linux:mod_cluster-demo, p-cpe:/a:redhat:enterprise_linux:jboss-logging, p-cpe:/a:redhat:enterprise_linux:sun-ws-metadata-2.0-api, p-cpe:/a:redhat:enterprise_linux:apache-commons-daemon-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, p-cpe:/a:redhat:enterprise_linux:httpserver, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:eap6-snakeyaml, p-cpe:/a:redhat:enterprise_linux:httpcomponents-core-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:sun-xsom, p-cpe:/a:redhat:enterprise_linux:jboss-dmr, p-cpe:/a:redhat:enterprise_linux:jbossxb2, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:httpcore-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ejb, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-mapper-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:jbosgi-resolver, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:jdom-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxb-api_2.2_spec, p-cpe:/a:redhat:enterprise_linux:hibernate-jpa-2.0-api, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-genericjms, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:httpcomponents-project-eap6, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf12-eap6, p-cpe:/a:redhat:enterprise_linux:eap6-apache-commons-configuration, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-core-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-console, p-cpe:/a:redhat:enterprise_linux:mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:picketlink-federation, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jboss-hal, p-cpe:/a:redhat:enterprise_linux:jbossas-jbossweb-native, p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink, p-cpe:/a:redhat:enterprise_linux:mod_cluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:velocity-eap6, p-cpe:/a:redhat:enterprise_linux:atinject-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxr-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:picketbox, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6, p-cpe:/a:redhat:enterprise_linux:org.osgi.core-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:objectweb-asm-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-annotations-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:apache-mime4j, p-cpe:/a:redhat:enterprise_linux:httpd22, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:jbosgi-vfs, p-cpe:/a:redhat:enterprise_linux:jboss-servlet-api_2.5_spec, p-cpe:/a:redhat:enterprise_linux:httpcomponents-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-jms-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jbosgi-deployment, p-cpe:/a:redhat:enterprise_linux:jboss-iiop-client, p-cpe:/a:redhat:enterprise_linux:jboss-interceptors-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:eap6-apache-commons-cli, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-transaction-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:weld-cdi-1.0-api, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-connector-api_1.6_spec, p-cpe:/a:redhat:enterprise_linux:hibernate-beanvalidation-api, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-vfs2, p-cpe:/a:redhat:enterprise_linux:mod_snmp, p-cpe:/a:redhat:enterprise_linux:jbosgi-metadata, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-web, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:sun-txw2, p-cpe:/a:redhat:enterprise_linux:jboss-jad-api_1.2_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:hornetq-native, p-cpe:/a:redhat:enterprise_linux:jbosgi-framework-core, p-cpe:/a:redhat:enterprise_linux:hibernate4-search, p-cpe:/a:redhat:enterprise_linux:eap6-joda-time, p-cpe:/a:redhat:enterprise_linux:eap6-apache-commons-codec, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf-eap6, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:eap6-ecj, p-cpe:/a:redhat:enterprise_linux:infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-seam-int, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-common, p-cpe:/a:redhat:enterprise_linux:jboss-threads, p-cpe:/a:redhat:enterprise_linux:jbosgi-repository, p-cpe:/a:redhat:enterprise_linux:sun-codemodel, p-cpe:/a:redhat:enterprise_linux:apache-commons-io-eap6, p-cpe:/a:redhat:enterprise_linux:eap6-jandex, p-cpe:/a:redhat:enterprise_linux:javassist-eap6, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:httpd22-devel, p-cpe:/a:redhat:enterprise_linux:mod_jk-ap22, p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:jboss-sasl, p-cpe:/a:redhat:enterprise_linux:hibernate3-commons-annotations, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxrs-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-xc, p-cpe:/a:redhat:enterprise_linux:mod_jk, p-cpe:/a:redhat:enterprise_linux:relaxngdatatype-eap6, p-cpe:/a:redhat:enterprise_linux:staxmapper, p-cpe:/a:redhat:enterprise_linux:log4j-jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:jboss-jsp-api_2.2_spec, p-cpe:/a:redhat:enterprise_linux:eap6-jansi, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:mod_rt, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jbossweb, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxrpc-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:jboss-common-beans, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:infinispan, p-cpe:/a:redhat:enterprise_linux:jul-to-slf4j-stub, p-cpe:/a:redhat:enterprise_linux:jbosgi-spi, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-api_3.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:picketbox-commons, p-cpe:/a:redhat:enterprise_linux:httpclient-eap6, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming, p-cpe:/a:redhat:enterprise_linux:jboss-weld-1.1-api, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-jaxrs, p-cpe:/a:redhat:enterprise_linux:jbossas-hornetq-native, p-cpe:/a:redhat:enterprise_linux:eap6-cal10n, p-cpe:/a:redhat:enterprise_linux:jboss-common-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:lucene-solr, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-appclient, p-cpe:/a:redhat:enterprise_linux:hibernate4-validator, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-metadata, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:mod_ssl22, p-cpe:/a:redhat:enterprise_linux:glassfish-javamail, p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:httpmime-eap6, p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-classfilewriter, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 4/16/2015
Vulnerability Publication Date: 2/12/2015
Reference Information
CVE: CVE-2014-3586, CVE-2014-8111, CVE-2015-0226, CVE-2015-0227, CVE-2015-0277, CVE-2015-0298, CVE-2015-6254