The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2935 advisory.

  - undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184)

  - codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)

  - undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files     (CVE-2019-10212)

  - jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
    (CVE-2019-12086)

  - jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to     remote code execution (CVE-2019-12384)

  - jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via     crafted JSON message. (CVE-2019-12814)

  - jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 6 Security update (Important) (RHSA-2019:2935)

critical Nessus Plugin ID 129516

Version 1.5