RHEL 5:Red Hat JBoss Enterprise Application Platform 6.3.0 更新(重要)(RHSA-2014:1019)
medium Nessus 插件 ID 77078
语言:
简介
远程 Red Hat 主机缺少一个或多个安全更新。描述
远程 Redhat Enterprise Linux 5 主机上安装的程序包受到 RHSA-2014:1019 公告中提及的多个漏洞的影响。Red Hat JBoss Enterprise Application Platform 6 是适用于基于 JBoss Application Server 7 的 Java 应用程序的平台。
在 mod_status httpd 模块中发现导致基于堆的缓冲区溢出的争用条件缺陷。能够使用线程化多重处理模块 (MPM) 访问服务器上由 mod_status 提供服务的状态页面的远程攻击者可以发送特别构建的请求,以导致 httpd 子进程崩溃,或者可能允许攻击者以 apache 用户的权限执行任意代码。(CVE-2014-0226)
在 httpd 的 mod_deflate 模块处理请求正文解压缩(通过 DEFLATE 输入过滤器配置)的方式中发现拒绝服务缺陷。能够发送其正文需要解压缩的请求的远程攻击者可以利用此缺陷消耗目标系统上的大量系统内存和 CPU。(CVE-2014-0118)
已发现 httpd 的 mod_cgid 模块执行未从标准输入读取数据的 CGI 脚本的方式中存在拒绝服务缺陷。
远程攻击者可提交特别构建的请求,以导致 httpd 子进程无限期挂起。(CVE-2014-0231)
在 WebSocket08FrameDecoder 实现中发现一个缺陷,远程攻击者可利用此缺陷通过发出一系列 TextWebSocketFrame 和 ContinuationWebSocketFrames 来触发内存不足异常。这可能导致拒绝服务,具体取决于服务器配置。
(CVE-2014-0193)
已发现 SimpleSecurityManager 的 isCallerInRole() 方法没有正确检查调用程序角色。经过认证的远程攻击者可利用此缺陷避开使用基于调用程序角色的黑名单访问控制的应用程序中的调用程序检查。(CVE-2014-3472)
Red Hat 在此感谢 Typesafe 的 James Roper 报告 CVE-2014-0193;感谢 CA Technologies 报告 CVE-2014-3472。
此版本的 JBoss Enterprise Application Platform 也包括缺陷补丁和增强功能。很快将可在“参考”部分链接的 JBoss Enterprise Application Platform 6.3.0 版本说明中查看这些更改的文档。
对于所有需要 Red Hat Enterprise Linux 5 中的 JBoss Enterprise Application Platform 6.3.0 的用户,都应安装这些新程序包。必须重新启动 JBoss 服务器进程才能使更新生效。
Tenable 已直接从 Red Hat Enterprise Linux 安全公告中提取上述描述块。
请注意,Nessus 尚未测试这些问题,而是只依据应用程序自我报告的版本号进行判断。
解决方案
更新受影响的程序包。另见
http://www.nessus.org/u?8937e67e
http://www.nessus.org/u?c720f7b0
https://access.redhat.com/errata/RHSA-2014:1019
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1038658
https://bugzilla.redhat.com/show_bug.cgi?id=1052745
https://bugzilla.redhat.com/show_bug.cgi?id=1053239
https://bugzilla.redhat.com/show_bug.cgi?id=1053245
https://bugzilla.redhat.com/show_bug.cgi?id=1053254
https://bugzilla.redhat.com/show_bug.cgi?id=1053261
https://bugzilla.redhat.com/show_bug.cgi?id=1053775
https://bugzilla.redhat.com/show_bug.cgi?id=1067505
https://bugzilla.redhat.com/show_bug.cgi?id=1067567
https://bugzilla.redhat.com/show_bug.cgi?id=1069415
https://bugzilla.redhat.com/show_bug.cgi?id=1071414
https://bugzilla.redhat.com/show_bug.cgi?id=1072567
https://bugzilla.redhat.com/show_bug.cgi?id=1072592
https://bugzilla.redhat.com/show_bug.cgi?id=1076644
https://bugzilla.redhat.com/show_bug.cgi?id=1076650
https://bugzilla.redhat.com/show_bug.cgi?id=1076653
https://bugzilla.redhat.com/show_bug.cgi?id=1078673
https://bugzilla.redhat.com/show_bug.cgi?id=1079399
https://bugzilla.redhat.com/show_bug.cgi?id=1079410
https://bugzilla.redhat.com/show_bug.cgi?id=1079414
https://bugzilla.redhat.com/show_bug.cgi?id=1079417
https://bugzilla.redhat.com/show_bug.cgi?id=1079422
https://bugzilla.redhat.com/show_bug.cgi?id=1079426
https://bugzilla.redhat.com/show_bug.cgi?id=1079431
https://bugzilla.redhat.com/show_bug.cgi?id=1079480
https://bugzilla.redhat.com/show_bug.cgi?id=1079794
https://bugzilla.redhat.com/show_bug.cgi?id=1079897
https://bugzilla.redhat.com/show_bug.cgi?id=1080388
https://bugzilla.redhat.com/show_bug.cgi?id=1080714
https://bugzilla.redhat.com/show_bug.cgi?id=1080722
https://bugzilla.redhat.com/show_bug.cgi?id=1080776
https://bugzilla.redhat.com/show_bug.cgi?id=1081266
https://bugzilla.redhat.com/show_bug.cgi?id=1081631
https://bugzilla.redhat.com/show_bug.cgi?id=1082057
https://bugzilla.redhat.com/show_bug.cgi?id=1084348
https://bugzilla.redhat.com/show_bug.cgi?id=1086793
https://bugzilla.redhat.com/show_bug.cgi?id=1092089
https://bugzilla.redhat.com/show_bug.cgi?id=1092104
https://bugzilla.redhat.com/show_bug.cgi?id=1092783
https://bugzilla.redhat.com/show_bug.cgi?id=1102510
https://bugzilla.redhat.com/show_bug.cgi?id=1102513
https://bugzilla.redhat.com/show_bug.cgi?id=1103815
https://bugzilla.redhat.com/show_bug.cgi?id=1120596
插件详情
严重性: Medium
ID: 77078
文件名: redhat-RHSA-2014-1019.nasl
版本: 1.28
类型: local
代理: unix
发布时间: 2014/8/8
最近更新时间: 2025/3/20
支持的传感器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
风险信息
VPR
风险因素: Medium
分数: 6.7
Vendor
Vendor Severity: Important
CVSS v2
风险因素: Medium
基本分数: 6.8
时间分数: 5.3
矢量: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 分数来源: CVE-2014-0226
CVSS v3
风险因素: Medium
基本分数: 6.5
时间分数: 5.9
矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
时间矢量: CVSS:3.0/E:P/RL:O/RC:C
CVSS 分数来源: CVE-2014-0227
漏洞信息
CPE: p-cpe:/a:redhat:enterprise_linux:picketlink-bindings, p-cpe:/a:redhat:enterprise_linux:httpcomponents-client-eap6, p-cpe:/a:redhat:enterprise_linux:apache-commons-lang-eap6, p-cpe:/a:redhat:enterprise_linux:jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:jaxbintros, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:rngom-eap6, p-cpe:/a:redhat:enterprise_linux:tomcat-native, p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ear, p-cpe:/a:redhat:enterprise_linux:infinispan-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:stilts, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:mod_cluster-demo, p-cpe:/a:redhat:enterprise_linux:jboss-logging, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:httpd-devel, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:apache-commons-cli-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jboss-jms-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jbossws-native, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:jboss-transaction-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:guava-libraries, p-cpe:/a:redhat:enterprise_linux:sun-saaj-1.3-impl, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-saaj-api_1.3_spec, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:gnu-getopt-eap6, p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-jstl-api_1.2_spec, p-cpe:/a:redhat:enterprise_linux:jboss-vfs2, p-cpe:/a:redhat:enterprise_linux:mod_snmp, p-cpe:/a:redhat:enterprise_linux:jandex-eap6, p-cpe:/a:redhat:enterprise_linux:slf4j-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jboss-transaction-spi, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-web, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation, p-cpe:/a:redhat:enterprise_linux:woodstox-stax2-api-eap6, p-cpe:/a:redhat:enterprise_linux:sun-txw2, p-cpe:/a:redhat:enterprise_linux:apache-commons-codec-eap6, p-cpe:/a:redhat:enterprise_linux:woodstox-core-eap6, p-cpe:/a:redhat:enterprise_linux:slf4j-jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:opensaml, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:hornetq-native, p-cpe:/a:redhat:enterprise_linux:httpd-tools, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6, p-cpe:/a:redhat:enterprise_linux:apache-commons-configuration-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-common, p-cpe:/a:redhat:enterprise_linux:jgroups, p-cpe:/a:redhat:enterprise_linux:jbossws-common, p-cpe:/a:redhat:enterprise_linux:sun-codemodel, p-cpe:/a:redhat:enterprise_linux:apache-commons-io-eap6, p-cpe:/a:redhat:enterprise_linux:netty, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:mod_jk-ap22, p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:openws, p-cpe:/a:redhat:enterprise_linux:jboss-sasl, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-xc, p-cpe:/a:redhat:enterprise_linux:mod_jk, p-cpe:/a:redhat:enterprise_linux:httpd, p-cpe:/a:redhat:enterprise_linux:jboss-marshalling, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:mod_rt, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jbossweb, p-cpe:/a:redhat:enterprise_linux:wsdl4j-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3, p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:httpmime-eap6, p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:h2database, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:httpcomponents-core-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:sun-xsom, p-cpe:/a:redhat:enterprise_linux:weld-core, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:ws-commons-neethi, p-cpe:/a:redhat:enterprise_linux:httpcore-eap6, p-cpe:/a:redhat:enterprise_linux:joda-time-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ejb, p-cpe:/a:redhat:enterprise_linux:sun-istack-commons, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-mapper-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:jettison-eap6, p-cpe:/a:redhat:enterprise_linux:slf4j, p-cpe:/a:redhat:enterprise_linux:jdom-eap6, p-cpe:/a:redhat:enterprise_linux:apache-commons-daemon-jsvc-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-genericjms, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:httpcomponents-project-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-core-asl, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-console, p-cpe:/a:redhat:enterprise_linux:mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:picketlink-federation, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jboss-hal, p-cpe:/a:redhat:enterprise_linux:jbossas-jbossweb-native, p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink, p-cpe:/a:redhat:enterprise_linux:apache-commons-collections-eap6, p-cpe:/a:redhat:enterprise_linux:mod_cluster, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:xmltooling, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:jansi-eap6, p-cpe:/a:redhat:enterprise_linux:jython-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6, p-cpe:/a:redhat:enterprise_linux:xom, p-cpe:/a:redhat:enterprise_linux:httpd-manual, p-cpe:/a:redhat:enterprise_linux:apache-mime4j, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:httpcomponents-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:infinispan, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jbossws-spi, p-cpe:/a:redhat:enterprise_linux:snakeyaml-eap6, p-cpe:/a:redhat:enterprise_linux:mod_ssl, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:ecj-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:httpclient-eap6, p-cpe:/a:redhat:enterprise_linux:scannotation, p-cpe:/a:redhat:enterprise_linux:infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:codehaus-jackson-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-msc, p-cpe:/a:redhat:enterprise_linux:jbossas-hornetq-native, p-cpe:/a:redhat:enterprise_linux:jboss-jaxws-api_2.2_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:cal10n-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:jboss-metadata-appclient, p-cpe:/a:redhat:enterprise_linux:hibernate4-validator, p-cpe:/a:redhat:enterprise_linux:jaxen-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx, p-cpe:/a:redhat:enterprise_linux:jboss-metadata
必需的 KB 项: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可利用: true
易利用性: Exploits are available
补丁发布日期: 2014/8/6
参考资料信息
CVE: CVE-2014-0118, CVE-2014-0193, CVE-2014-0226, CVE-2014-0227, CVE-2014-0231, CVE-2014-3464, CVE-2014-3472