Detections
Analytics

RHEL 9 : Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 9 (RHSA-2023:7639)

high Nessus Plugin ID 186544

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 9.

Description

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7639 advisory.

 - guava: insecure temporary directory creation (CVE-2023-2976)

 - eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

 - xnio: StackOverflowException when the chain of notifier states becomes problematically big (CVE-2023-5685)

 - jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

 - jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

 - apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

 - apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

 - HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 9 package based on the guidance in RHSA-2023:7639.

See Also

http://www.nessus.org/u?327e7d12

http://www.nessus.org/u?424053a6

http://www.nessus.org/u?95a15247

https://access.redhat.com/errata/RHSA-2023:7639

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

https://bugzilla.redhat.com/show_bug.cgi?id=2184751

https://bugzilla.redhat.com/show_bug.cgi?id=2215229

https://bugzilla.redhat.com/show_bug.cgi?id=2236340

https://bugzilla.redhat.com/show_bug.cgi?id=2236341

https://bugzilla.redhat.com/show_bug.cgi?id=2240036

https://bugzilla.redhat.com/show_bug.cgi?id=2242521

https://bugzilla.redhat.com/show_bug.cgi?id=2242803

https://issues.redhat.com/browse/JBEAP-25004

https://issues.redhat.com/browse/JBEAP-25085

https://issues.redhat.com/browse/JBEAP-25086

https://issues.redhat.com/browse/JBEAP-25378

https://issues.redhat.com/browse/JBEAP-25380

https://issues.redhat.com/browse/JBEAP-25419

https://issues.redhat.com/browse/JBEAP-25451

https://issues.redhat.com/browse/JBEAP-25457

https://issues.redhat.com/browse/JBEAP-25541

https://issues.redhat.com/browse/JBEAP-25547

https://issues.redhat.com/browse/JBEAP-25576

https://issues.redhat.com/browse/JBEAP-25594

https://issues.redhat.com/browse/JBEAP-25627

https://issues.redhat.com/browse/JBEAP-25657

https://issues.redhat.com/browse/JBEAP-25685

https://issues.redhat.com/browse/JBEAP-25700

https://issues.redhat.com/browse/JBEAP-25716

https://issues.redhat.com/browse/JBEAP-25726

https://issues.redhat.com/browse/JBEAP-25772

https://issues.redhat.com/browse/JBEAP-25779

https://issues.redhat.com/browse/JBEAP-25803

https://issues.redhat.com/browse/JBEAP-25838

https://issues.redhat.com/browse/JBEAP-26041

Plugin Details

Severity: High

ID: 186544

File Name: redhat-RHSA-2023-7639.nasl

Version: 1.6

Type: local

Agent: unix

Published: 12/4/2023

Updated: 4/28/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-4503

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-component-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-commons, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-spi, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-v53, p-cpe:/a:redhat:enterprise_linux:eap7-jandex, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsp-api_2.3_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-marshalling, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-marshalling-river, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base, p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:eap7-jgroups, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-weld-core, p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl, p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf, p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb, p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta, p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core, p-cpe:/a:redhat:enterprise_linux:eap7-weld-web, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk17, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-yasson, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools, p-cpe:/a:redhat:enterprise_linux:eap7-apache-sshd, p-cpe:/a:redhat:enterprise_linux:eap7-avro, p-cpe:/a:redhat:enterprise_linux:eap7-guava, p-cpe:/a:redhat:enterprise_linux:eap7-guava-libraries, p-cpe:/a:redhat:enterprise_linux:eap7-hal-console, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/4/2023

Vulnerability Publication Date: 4/18/2023

CISA Known Exploited Vulnerability Due Dates: 10/31/2023

Reference Information

CVE: CVE-2023-26048, CVE-2023-26049, CVE-2023-2976, CVE-2023-35887, CVE-2023-39410, CVE-2023-44487, CVE-2023-4503, CVE-2023-5685

CWE: 1286, 22, 400, 502, 552, 665, 770

RHSA: 2023:7639