检测

插件

RHEL 8：Red Hat JBoss Enterprise Application Platform 7.3.2 (RHSA-2020: 3463)

critical Nessus 插件 ID 139619

语言：

简介

远程 Red Hat 主机缺少一个或多个安全更新。

描述

远程 Redhat Enterprise Linux 8 主机上安装的程序包受到 RHSA-2020: 3463 公告中提及的多个漏洞的影响。

- hibernate：Hibernate ORM 中的 SQL 注入问题 (CVE-2019-14900)

- jackson-databind：未正确处理序列化小工具与类型之间的交互，这可能导致远程命令执行（CVE-2020-10672、CVE-2020-10673）

- dom4j: 默认 SAX 解析器中的 XML 外部实体漏洞 (CVE-2020-10683)

- Undertow：由于在 HTTP 请求中允许无效字符，导致 CVE-2017-2666 的修复不完整 (CVE-2020-10687)

- hibernate-validator：插入限制错误消息时未正确验证输入 (CVE-2020-10693)

- wildfly-elytron：使用 FORM 身份验证时的会话固定 (CVE-2020-10714)

- wildfly：通过 EmbeddedManagedProcess API 暴露了 TCCL 设置 (CVE-2020-10718)

- wildfly：Wildfly Enterprise Java Bean 中不安全的反序列化 (CVE-2020-10740)

- netty：压缩/解压缩编解码器未对缓冲区分配大小强制执行限制 (CVE-2020-11612)

- wildfly：某些 EJB 事务对象可能发生累积，从而导致拒绝服务 (CVE-2020-14297)

- wildfly：收到响应后，系统可能无法正确移除 EJB SessionOpenInvocations，从而导致拒绝服务 (CVE-2020-14307)

- EAP：字段名称未按照 RFC7230 进行解析 (CVE-2020-1710)

- wildfly：使用替代保护域时，WildFlySecurityManager 中存在不当授权问题 (CVE-2020-1748)

请注意，Nessus 尚未测试这些问题，而是只依据应用程序自我报告的版本号进行判断。

解决方案

更新受影响的程序包。

另见

https://bugzilla.redhat.com/show_bug.cgi?id=1834512

https://bugzilla.redhat.com/show_bug.cgi?id=1853595

https://issues.redhat.com/browse/JBEAP-19095

https://issues.redhat.com/browse/JBEAP-19134

https://issues.redhat.com/browse/JBEAP-19185

https://issues.redhat.com/browse/JBEAP-19203

https://issues.redhat.com/browse/JBEAP-19269

https://issues.redhat.com/browse/JBEAP-19322

https://issues.redhat.com/browse/JBEAP-19325

https://issues.redhat.com/browse/JBEAP-19397

https://issues.redhat.com/browse/JBEAP-19410

https://issues.redhat.com/browse/JBEAP-19411

https://issues.redhat.com/browse/JBEAP-19529

https://issues.redhat.com/browse/JBEAP-19564

https://issues.redhat.com/browse/JBEAP-19585

https://issues.redhat.com/browse/JBEAP-19617

https://issues.redhat.com/browse/JBEAP-19619

https://issues.redhat.com/browse/JBEAP-19673

http://www.nessus.org/u?34e23b20

https://issues.redhat.com/browse/JBEAP-19674

https://issues.redhat.com/browse/JBEAP-19874

https://access.redhat.com/security/updates/classification/#important

http://www.nessus.org/u?39676da8

http://www.nessus.org/u?bda70809

https://access.redhat.com/errata/RHSA-2020:3463

https://bugzilla.redhat.com/show_bug.cgi?id=1666499

https://bugzilla.redhat.com/show_bug.cgi?id=1694235

https://bugzilla.redhat.com/show_bug.cgi?id=1785049

https://bugzilla.redhat.com/show_bug.cgi?id=1793970

https://bugzilla.redhat.com/show_bug.cgi?id=1805501

https://bugzilla.redhat.com/show_bug.cgi?id=1807707

https://bugzilla.redhat.com/show_bug.cgi?id=1815470

https://bugzilla.redhat.com/show_bug.cgi?id=1815495

https://bugzilla.redhat.com/show_bug.cgi?id=1825714

https://bugzilla.redhat.com/show_bug.cgi?id=1828476

插件详情

严重性: Critical

ID: 139619

文件名: redhat-RHSA-2020-3463.nasl

版本: 1.11

类型: local

代理: unix

系列: Red Hat Local Security Checks

发布时间: 2020/8/17

最近更新时间: 2024/6/3

支持的传感器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

风险信息

VPR

风险因素: Medium

分数: 6.7

CVSS v2

风险因素: High

基本分数: 7.5

时间分数: 5.5

矢量: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 分数来源: CVE-2020-10683

CVSS v3

风险因素: Critical

基本分数: 9.8

时间分数: 8.5

矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

时间矢量: CVSS:3.0/E:U/RL:O/RC:C

漏洞信息

CPE: p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-common, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly16.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-genericjms, p-cpe:/a:redhat:enterprise_linux:eap7-netty, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-providers, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core, p-cpe:/a:redhat:enterprise_linux:eap7-elytron-web, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly17.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-netty-all, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-spi, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly18.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-commons, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-v53, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly15.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0, p-cpe:/a:redhat:enterprise_linux:eap7-dom4j, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base, p-cpe:/a:redhat:enterprise_linux:eap7-hal-console, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool, p-cpe:/a:redhat:enterprise_linux:eap7-undertow-server, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar

必需的 KB 项: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

易利用性: No known exploits are available

补丁发布日期: 2020/8/17

漏洞发布日期: 2020/3/18

参考资料信息

CVE: CVE-2019-14900, CVE-2020-10672, CVE-2020-10673, CVE-2020-10683, CVE-2020-10687, CVE-2020-10693, CVE-2020-10714, CVE-2020-10718, CVE-2020-10740, CVE-2020-11612, CVE-2020-14297, CVE-2020-14307, CVE-2020-1710, CVE-2020-1748

CWE: 113, 20, 285, 384, 400, 404, 444, 502, 611, 749, 89, 96

IAVA: 2020-A-0324, 2021-A-0032, 2021-A-0035-S, 2021-A-0196, 2021-A-0326, 2021-A-0328

RHSA: 2020:3463