RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.3.3 update (Moderate) (RHSA-2015:0216)

medium Nessus Plugin ID 81339

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:0216 advisory.

- JBoss Security: Wrong security context loaded when using SAML2 STS Login Module (CVE-2014-7827)

- RESTeasy: External entities expanded by DocumentProvider (CVE-2014-7839)

- JBoss AS/WildFly Domain Management: Limited RBAC authorization bypass (CVE-2014-7849)

- JBoss AS/WildFly JacORB Subsystem: Information disclosure via incorrect sensitivity classification of attribute (CVE-2014-7853)

- JBoss Weld: Limited information disclosure via stale thread state (CVE-2014-8122)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?762421f6

http://www.nessus.org/u?764f0821

https://access.redhat.com/errata/RHSA-2015:0216

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1160574

https://bugzilla.redhat.com/show_bug.cgi?id=1165170

https://bugzilla.redhat.com/show_bug.cgi?id=1165328

https://bugzilla.redhat.com/show_bug.cgi?id=1165522

https://bugzilla.redhat.com/show_bug.cgi?id=1169237

https://bugzilla.redhat.com/show_bug.cgi?id=1179415

https://bugzilla.redhat.com/show_bug.cgi?id=1179418

https://bugzilla.redhat.com/show_bug.cgi?id=1179426

https://bugzilla.redhat.com/show_bug.cgi?id=1179429

https://bugzilla.redhat.com/show_bug.cgi?id=1179433

https://bugzilla.redhat.com/show_bug.cgi?id=1179436

https://bugzilla.redhat.com/show_bug.cgi?id=1179439

https://bugzilla.redhat.com/show_bug.cgi?id=1179443

https://bugzilla.redhat.com/show_bug.cgi?id=1181731

https://bugzilla.redhat.com/show_bug.cgi?id=1181734

https://bugzilla.redhat.com/show_bug.cgi?id=1181737

https://bugzilla.redhat.com/show_bug.cgi?id=1181741

https://bugzilla.redhat.com/show_bug.cgi?id=1181746

https://bugzilla.redhat.com/show_bug.cgi?id=1181749

https://bugzilla.redhat.com/show_bug.cgi?id=1181757

https://bugzilla.redhat.com/show_bug.cgi?id=1181760

https://bugzilla.redhat.com/show_bug.cgi?id=1181837

Plugin Details

Severity: Medium

ID: 81339

File Name: redhat-RHSA-2015-0216.nasl

Version: 1.12

Type: local

Agent: unix

Published: 2/13/2015

Updated: 4/24/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2014-7839

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:antlr-eap6, p-cpe:/a:redhat:enterprise_linux:apache-cxf, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf-eap6, p-cpe:/a:redhat:enterprise_linux:guava-libraries, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:httpserver, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:jboss-hal, p-cpe:/a:redhat:enterprise_linux:jboss-marshalling, p-cpe:/a:redhat:enterprise_linux:jboss-modules, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3, p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jboss-as-console, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jbossweb, p-cpe:/a:redhat:enterprise_linux:jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:jbossws-spi, p-cpe:/a:redhat:enterprise_linux:picketbox, p-cpe:/a:redhat:enterprise_linux:picketlink-bindings, p-cpe:/a:redhat:enterprise_linux:picketlink-federation, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:sun-istack-commons, p-cpe:/a:redhat:enterprise_linux:sun-saaj-1.3-impl, p-cpe:/a:redhat:enterprise_linux:weld-core, p-cpe:/a:redhat:enterprise_linux:wss4j, cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 2/11/2015

Reference Information

CVE: CVE-2014-7827, CVE-2014-7839, CVE-2014-7849, CVE-2014-7853, CVE-2014-8122

BID: 74252, 74424, 74425

CWE: 200, 611, 863

RHSA: 2015:0216