The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2423 advisory.

    Red Hat JBoss Enterprise Application Platform is a platform for Java     applications based on the JBoss Application Server.

    This release of Red Hat JBoss Enterprise Application Platform 7.1.4 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.1.3, and includes bug fixes and enhancements, which are documented     in the Release Notes document linked to in the References.

    Security Fix(es):

    * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote     attackers to cause a denial of service (CVE-2018-10237)

    * bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)

    * cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services     (CVE-2017-12624)

    * wildfly: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files     (CVE-2018-10862)

    * cxf-core: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*     (CVE-2018-8039)

    For more details about the security issue(s), including the impact, a CVSS     score, and other related information, refer to the CVE page(s) listed in the     References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for bouncycastle fixes the following security issue :

  - CVE-2018-1000180: Fixed flaw in the Low-level interface     to RSA key pair generator. RSA Key Pairs generated in     low-level API with added certainty may had less M-R     tests than expected (bsc#1096291).

The Legion of the Bouncy Castle reports :

Release 1.60 is now available for download.

CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API.

CVE-2018-1000613: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2018:2643 advisory.

    The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization     Manager. The appliance is available to download as an OVA file from the Customer Portal.

    The following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1590658,     BZ#1591095, BZ#1591096, BZ#1592655, BZ#1594636, BZ#1597534, BZ#1612683)

    Red Hat would like to thank the PostgreSQL project for reporting CVE-2018-10915 and Ammarit Thongthua     (Deloitte Thailand Pentest team) and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting     CVE-2018-1067. Upstream acknowledges Andrew Krasichkov as the original reporter of CVE-2018-10915.

    Security fixes:

    * vulnerability: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary     files (Zip Slip) (CVE-2018-10862)

    * vulnerability: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*     (CVE-2018-8039)

    * vulnerability: postgresql: Certain host connection parameters defeat client-side security defenses     (CVE-2018-10915)

    * vulnerability: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of )     (CVE-2018-1067, CVE-2016-4993)

    * vulnerability: undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows     attacker to cause a denial of service (CVE-2018-1114)

    * vulnerability: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes     allow remote attackers to cause a denial of service (CVE-2018-10237)

    * vulnerability: bouncycastle: flaw in the low-level interface to RSA key pair generator     (CVE-2018-1000180)

    For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other     related information, refer to the CVE pages listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2424 advisory.

    Red Hat JBoss Enterprise Application Platform is a platform for Java     applications based on the JBoss Application Server.

    This release of Red Hat JBoss Enterprise Application Platform 7.1.4 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.1.3, and includes bug fixes and enhancements, which are documented     in the Release Notes document linked to in the References.

    Security Fix(es):

    * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote     attackers to cause a denial of service (CVE-2018-10237)

    * bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)

    * cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services     (CVE-2017-12624)

    * wildfly: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files     (CVE-2018-10862)

    * cxf-core: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*     (CVE-2018-8039)

    For more details about the security issue(s), including the impact, a CVSS     score, and other related information, refer to the CVE page(s) listed in the     References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities:

  - XML external entity (XXE) vulnerability in the SqlXmlUtil code     in Apache Derby before 10.12.1.1, when a Java Security Manager     is not in place, allows context-dependent attackers to read     arbitrary files or cause a denial of service (resource     consumption) via vectors involving XmlVTI and the XML datatype.
    (CVE-2015-1832)

  - Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and     earlier have a flaw in the Low-level interface to RSA key pair     generator, specifically RSA Key Pairs generated in low-level API     with added certainty may have less M-R tests than expected. This     appears to be fixed in versions BC 1.60 beta 4 and later,     BC-FJA 1.0.2 and later. (CVE-2018-1000180)

  - Vulnerability in the Oracle WebLogic Server component of Oracle     Fusion Middleware (subcomponent: WLS Core Components). Supported     versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3.
    Easily exploitable vulnerability allows high privileged attacker     with network access via HTTP to compromise Oracle WebLogic     Server. Successful attacks of this vulnerability can result in     unauthorized creation, deletion or modification access to     critical data or all Oracle WebLogic Server accessible data as     well as unauthorized read access to a subset of Oracle WebLogic     Server accessible data and unauthorized ability to cause a hang     or frequently repeatable crash (complete DOS) of Oracle WebLogic     Server. (CVE-2019-2452)

  - Vulnerability in the Oracle WebLogic Server component of Oracle     Fusion Middleware (subcomponent: WLS Core Components). Supported     versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3.
    Difficult to exploit vulnerability allows unauthenticated     attacker with network access via T3 to compromise Oracle     WebLogic Server. While the vulnerability is in Oracle WebLogic     Server, attacks may significantly impact additional products.
    Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle     WebLogic Server accessible data as well as unauthorized read     access to a subset of Oracle WebLogic Server accessible data and     unauthorized ability to cause a partial denial of service     (partial DOS) of Oracle WebLogic Server. (CVE-2019-2418)

  - Vulnerability in the Oracle WebLogic Server component of Oracle     Fusion Middleware (subcomponent: WLS - Web Services). The     supported version that is affected is 10.3.6.0. Easily     exploitable vulnerability allows low privileged attacker with     network access via HTTP to compromise Oracle WebLogic Server.
    Successful attacks of this vulnerability can result in     unauthorized read access to a subset of Oracle WebLogic Server     accessible data and unauthorized ability to cause a partial     denial of service (partial DOS) of Oracle WebLogic Server.
    (CVE-2019-2395)

  - Vulnerability in the Oracle WebLogic Server component of Oracle     Fusion Middleware (subcomponent: Application Container - JavaEE).     The supported version that is affected is 12.2.1.3. Easily     exploitable vulnerability allows unauthenticated attacker     with network access via HTTP to compromise Oracle WebLogic     Server. Successful attacks of this vulnerability can result in     unauthorized read access to a subset of Oracle WebLogic Server     accessible data. (CVE-2019-2441)

  - Vulnerability in the Oracle WebLogic Server component of Oracle     Fusion Middleware (subcomponent: WLS - Deployment). Supported     versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3.
    Easily exploitable vulnerability allows low privileged attacker     with network access via HTTP to compromise Oracle WebLogic     Server. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle     WebLogic Server accessible data. (CVE-2019-2398)

  - Legion of the Bouncy Castle Java Cryptography APIs versions prior     to 1.60 are affected by CWE-470: Use of Externally-Controlled     Input to Select Classes or Code ('Unsafe Reflection') flaw in     XMSS/XMSS^MT private key deserialization routines. This allows     an attacker to force execution of arbitrary code. Successful     attack could be conducted via usage of a handcrafted private key     object with references to unexpected classes which allow     malicious commands execution. (CVE-2018-1000613)

  - Vulnerability in the Oracle WebLogic Server component of Oracle     Fusion Middleware (subcomponent: WLS - Web Services). Supported     versions that are affected are 12.1.3.0 and 12.2.1.3. Easily     exploitable vulnerability allows unauthenticated attacker with     network access via HTTP to compromise Oracle WebLogic Server.
    Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all     Oracle WebLogic Server accessible data. (CVE-2018-3246)

  - In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted     network packet can be used to request the Derby Network Server     to boot a database whose location and contents are under the     user's control. If the Derby Network Server is not running with     a Java Security Manager policy file, the attack is successful.
    If the server is using a policy file, the policy file must     permit the database location to be read for the attack to work.
    The default Derby Network Server policy file distributed with     the affected releases includes a permissive policy as the     default Network Server policy, which allows the attack to work.
    (CVE-2018-1313)

It was discovered that the low-level interface to the RSA key pair generator of Bouncy Castle (a Java implementation of cryptographic algorithms) could perform less Miller-Rabin primality tests than expected.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level     interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added     certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and     later, BC-FJA 1.0.2 and later. (CVE-2018-1000180)

Note that Nessus relies on the presence of the package as reported by the vendor.

Security fixes for CVE-2017-13098 and CVE-2018-1000180

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2019 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities.

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. (CVE-2018-14718)

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. (CVE-2018-1000180)

Vulnerability in the Oracle WebCenter Portal component of Oracle Fusion Middleware (subcomponent: WebCenter Spaces Application). Supported versions that are affected are 11.1.1.9.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Portal accessible data. (CVE-2019-2427)

ID	Name	Product	Family	Published	Updated	Severity
112029	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.1.4 on RHEL 6 (RHSA-2018:2423)	Nessus	Red Hat Local Security Checks	8/21/2018	4/29/2025	high
117691	openSUSE Security Update : bouncycastle (openSUSE-2018-1043)	Nessus	SuSE Local Security Checks	9/25/2018	8/5/2024	high
111092	FreeBSD : Several Security Defects in the Bouncy Castle Crypto APIs (fe93803c-883f-11e8-9f0c-001b216d295b)	Nessus	FreeBSD Local Security Checks	7/16/2018	9/4/2024	critical
117324	RHEL 7 : rhvm-appliance (RHSA-2018:2643)	Nessus	Red Hat Local Security Checks	9/6/2018	4/29/2025	high
112030	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.1.4 on RHEL7 (RHSA-2018:2424)	Nessus	Red Hat Local Security Checks	8/21/2018	4/29/2025	high
121226	Oracle WebLogic Server Multiple Vulnerabilities (January 2019 CPU)	Nessus	Misc.	1/17/2019	12/5/2022	critical
110665	Debian DSA-4233-1 : bouncycastle - security update	Nessus	Debian Local Security Checks	6/25/2018	9/17/2024	high
252722	Linux Distros Unpatched Vulnerability : CVE-2018-1000180	Nessus	Misc.	8/20/2025	8/20/2025	high
120804	Fedora 28 : bouncycastle (2018-ceced55c5e)	Nessus	Fedora Local Security Checks	1/3/2019	7/1/2024	high
110599	Fedora 27 : bouncycastle (2018-da9fe79871)	Nessus	Fedora Local Security Checks	6/19/2018	9/17/2024	high
121347	Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Misc.	1/24/2019	10/22/2025	critical

Detections

Analytics

Plugins Search

high

high

critical

high

high

critical

high

high

high

high

critical