检测

插件

RHEL 5：Red Hat JBoss Enterprise Application Platform 6.3.1 更新（低危）(RHSA-2014:1286)

medium Nessus 插件 ID 77827

语言：

简介

远程 Red Hat 主机缺少安全更新。

描述

远程 Redhat Enterprise Linux 5 主机上安装的程序包受到 RHSA-2014:1286 公告中提及的漏洞影响。

Red Hat JBoss Enterprise Application Platform 6 是适用于基于 JBoss Application Server 7 的 Java 应用程序的平台。

已发现以在 Java 安全管理器之下运行 Hibernate Validator 所需的权限实现 org.hibernate.validator.util.ReflectionHelper 可引起在相同应用程序容器中部署的恶意应用程序通过提升的权限执行多个操作（如果不以此权限实现，则不会出现此情况）。此缺陷可用于执行各种攻击，包括但不限于在受到 Java 安全管理器保护的系统中执行任意代码。(CVE-2014-3558)

此版本的 JBoss Enterprise Application Platform 也包括缺陷补丁和增强功能。可以从客户门户上的 JBoss Enterprise Application Platform 6.3.1 下载页面获取这些更改的列表。

建议 Red Hat Enterprise Linux 5 中的所有 Red Hat JBoss Enterprise Application Platform 6.3 用户升级这些更新后的程序包。
必须重新启动 JBoss 服务器进程才能使更新生效。

Tenable 已直接从 Red Hat Enterprise Linux 安全公告中提取上述描述块。

请注意，Nessus 尚未测试此问题，而是只依据应用程序自我报告的版本号进行判断。

解决方案

更新受影响的程序包。

另见

http://www.nessus.org/u?1b2c8501

https://access.redhat.com/security/updates/classification/#low

https://bugzilla.redhat.com/show_bug.cgi?id=1120495

https://bugzilla.redhat.com/show_bug.cgi?id=1128667

https://bugzilla.redhat.com/show_bug.cgi?id=1128713

https://bugzilla.redhat.com/show_bug.cgi?id=1129664

https://bugzilla.redhat.com/show_bug.cgi?id=1129681

https://bugzilla.redhat.com/show_bug.cgi?id=1131101

https://bugzilla.redhat.com/show_bug.cgi?id=1131836

https://bugzilla.redhat.com/show_bug.cgi?id=1131982

https://bugzilla.redhat.com/show_bug.cgi?id=1131987

https://bugzilla.redhat.com/show_bug.cgi?id=1132010

https://bugzilla.redhat.com/show_bug.cgi?id=1132034

https://bugzilla.redhat.com/show_bug.cgi?id=1132040

https://bugzilla.redhat.com/show_bug.cgi?id=1132812

https://bugzilla.redhat.com/show_bug.cgi?id=1134668

https://bugzilla.redhat.com/show_bug.cgi?id=1136933

https://bugzilla.redhat.com/show_bug.cgi?id=1136936

https://access.redhat.com/errata/RHSA-2014:1286

插件详情

严重性: Medium

ID: 77827

文件名: redhat-RHSA-2014-1286.nasl

版本: 1.15

类型: local

代理: unix

系列: Red Hat Local Security Checks

发布时间: 2014/9/25

最近更新时间: 2025/3/20

支持的传感器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

风险信息

VPR

风险因素: Low

分数: 1.4

Vendor

Vendor Severity: Low

CVSS v2

风险因素: Medium

基本分数: 5

时间分数: 3.7

矢量: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS 分数来源: CVE-2014-3558

CVSS v3

风险因素: Medium

基本分数: 5.3

时间分数: 4.6

矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

时间矢量: CVSS:3.0/E:U/RL:O/RC:C

漏洞信息

CPE: p-cpe:/a:redhat:enterprise_linux:picketlink-bindings, p-cpe:/a:redhat:enterprise_linux:httpcomponents-client-eap6, p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all, p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin, p-cpe:/a:redhat:enterprise_linux:jboss-as-weld, p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering, p-cpe:/a:redhat:enterprise_linux:jboss-modules, p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin, cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap, p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6, p-cpe:/a:redhat:enterprise_linux:httpcomponents-core-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap, p-cpe:/a:redhat:enterprise_linux:jbossxb2, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller, p-cpe:/a:redhat:enterprise_linux:httpcore-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-threads, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service, p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb, p-cpe:/a:redhat:enterprise_linux:httpcomponents-project-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content, p-cpe:/a:redhat:enterprise_linux:jboss-as-server, p-cpe:/a:redhat:enterprise_linux:jboss-as-console, p-cpe:/a:redhat:enterprise_linux:picketlink-federation, p-cpe:/a:redhat:enterprise_linux:jboss-as-logging, p-cpe:/a:redhat:enterprise_linux:jboss-hal, p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink, p-cpe:/a:redhat:enterprise_linux:jboss-as-version, p-cpe:/a:redhat:enterprise_linux:jboss-jaxr-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository, p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner, p-cpe:/a:redhat:enterprise_linux:jboss-as-network, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-annotations-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:httpcomponents-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs, p-cpe:/a:redhat:enterprise_linux:jboss-jms-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-sar, p-cpe:/a:redhat:enterprise_linux:jboss-interceptors-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management, p-cpe:/a:redhat:enterprise_linux:jboss-transaction-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee, p-cpe:/a:redhat:enterprise_linux:jboss-connector-api_1.6_spec, p-cpe:/a:redhat:enterprise_linux:jboss-saaj-api_1.3_spec, p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs, p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp, p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller, p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap, p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation, p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf-eap6, p-cpe:/a:redhat:enterprise_linux:hornetq, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6, p-cpe:/a:redhat:enterprise_linux:xml-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-cli, p-cpe:/a:redhat:enterprise_linux:netty, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-domain, p-cpe:/a:redhat:enterprise_linux:jboss-as-web, p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster, p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-jaxrs-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-connector, p-cpe:/a:redhat:enterprise_linux:jbossas-bundles, p-cpe:/a:redhat:enterprise_linux:jboss-marshalling, p-cpe:/a:redhat:enterprise_linux:jboss-jsp-api_2.2_spec, p-cpe:/a:redhat:enterprise_linux:jbossas-standalone, p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller, p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment, p-cpe:/a:redhat:enterprise_linux:jbossweb, p-cpe:/a:redhat:enterprise_linux:jboss-as-naming, p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean, p-cpe:/a:redhat:enterprise_linux:jboss-remoting3, p-cpe:/a:redhat:enterprise_linux:wss4j, p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6, p-cpe:/a:redhat:enterprise_linux:jbossas-core, p-cpe:/a:redhat:enterprise_linux:httpmime-eap6, p-cpe:/a:redhat:enterprise_linux:jbossts, p-cpe:/a:redhat:enterprise_linux:jboss-as-xts, p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions, p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices, p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security, p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi, p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77, p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http, p-cpe:/a:redhat:enterprise_linux:jbossas-appclient, p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded, p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting, p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa, p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol, p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client, p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr, p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr, p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf, p-cpe:/a:redhat:enterprise_linux:httpclient-eap6, p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming, p-cpe:/a:redhat:enterprise_linux:jboss-jaxws-api_2.2_spec, p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo, p-cpe:/a:redhat:enterprise_linux:jboss-as-mail, p-cpe:/a:redhat:enterprise_linux:hibernate4-validator, p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3, p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx

必需的 KB 项: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

易利用性: No known exploits are available

补丁发布日期: 2014/9/23

参考资料信息

CVE: CVE-2014-3558

BID: 70101

CWE: 266

RHSA: 2014:1286