RHEL 7:RHEL 7 上的 Red Hat JBoss Enterprise Application Platform 7.2.8 (RHSA-2020: 2059)
critical Nessus 插件 ID 136498
语言:
简介
远程 Red Hat 主机缺少一个或多个安全更新。描述
远程 Redhat Enterprise Linux 7 主机上安装的程序包受到 RHSA-2020: 2059 公告中提及的多个漏洞的影响。- jackson-mapper-asl:XML 外部实体类似于 CVE-2016-3720 (CVE-2019-10172)
- cxf:OpenId Connect 令牌服务未正确验证 clientId (CVE-2019-12423)
- cxf:服务清单页面存在反射型 XSS (CVE-2019-17573)
- undertow:可通过 Expect: 100-continue 标头在 HttpReadListener 中造成内存耗尽问题 (CVE-2020-10705)
- undertow:具有大区块大小的无效 HTTP 请求 (CVE-2020-10719)
- wildfly:使用其他安全域调用另一个 EJB 之后,EJBContext 主体未能弹出 (CVE-2020-1719)
- SmallRye:SecuritySupport 类遭错误公开,且包含用于访问当前线程环境类加载器的静态方法 (CVE-2020-1729)
- Soteria:不同并发线程中的安全身份损坏 (CVE-2020-1732)
- undertow:AJP 文件读取/注入漏洞 (CVE-2020-1745)
- undertow:servletPath 未经正确标准化,因此会造成危险的应用程序映射,这可能会导致安全绕过 (CVE-2020-1757)
- cryptacular:解码时发生内存分配过度 (CVE-2020-7226)
请注意,Nessus 尚未测试这些问题,而是只依据应用程序自我报告的版本号进行判断。
解决方案
更新受影响的程序包。另见
http://www.nessus.org/u?48a7d6fc
http://www.nessus.org/u?5ad39889
http://www.nessus.org/u?fdc49160
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/errata/RHSA-2020:2059
https://bugzilla.redhat.com/show_bug.cgi?id=1715075
https://bugzilla.redhat.com/show_bug.cgi?id=1752770
https://bugzilla.redhat.com/show_bug.cgi?id=1796617
https://bugzilla.redhat.com/show_bug.cgi?id=1797006
https://bugzilla.redhat.com/show_bug.cgi?id=1797011
https://bugzilla.redhat.com/show_bug.cgi?id=1801380
https://bugzilla.redhat.com/show_bug.cgi?id=1801726
https://bugzilla.redhat.com/show_bug.cgi?id=1802444
https://bugzilla.redhat.com/show_bug.cgi?id=1803241
https://bugzilla.redhat.com/show_bug.cgi?id=1807305
https://bugzilla.redhat.com/show_bug.cgi?id=1828459
https://issues.redhat.com/browse/JBEAP-18071
https://issues.redhat.com/browse/JBEAP-18267
https://issues.redhat.com/browse/JBEAP-18278
https://issues.redhat.com/browse/JBEAP-18423
https://issues.redhat.com/browse/JBEAP-18438
https://issues.redhat.com/browse/JBEAP-18503
https://issues.redhat.com/browse/JBEAP-18506
https://issues.redhat.com/browse/JBEAP-18536
https://issues.redhat.com/browse/JBEAP-18595
https://issues.redhat.com/browse/JBEAP-18616
https://issues.redhat.com/browse/JBEAP-18628
https://issues.redhat.com/browse/JBEAP-18631
https://issues.redhat.com/browse/JBEAP-18639
https://issues.redhat.com/browse/JBEAP-18646
https://issues.redhat.com/browse/JBEAP-18652
https://issues.redhat.com/browse/JBEAP-18664
https://issues.redhat.com/browse/JBEAP-18724
https://issues.redhat.com/browse/JBEAP-18729
https://issues.redhat.com/browse/JBEAP-18787
https://issues.redhat.com/browse/JBEAP-18789
https://issues.redhat.com/browse/JBEAP-18817
https://issues.redhat.com/browse/JBEAP-18827
https://issues.redhat.com/browse/JBEAP-18835
https://issues.redhat.com/browse/JBEAP-18885
https://issues.redhat.com/browse/JBEAP-18886
https://issues.redhat.com/browse/JBEAP-18931
https://issues.redhat.com/browse/JBEAP-18988
https://issues.redhat.com/browse/JBEAP-18989
插件详情
严重性: Critical
ID: 136498
文件名: redhat-RHSA-2020-2059.nasl
版本: 1.12
类型: local
代理: unix
发布时间: 2020/5/12
最近更新时间: 2024/4/28
支持的传感器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
风险信息
VPR
风险因素: Medium
分数: 5.9
CVSS v2
风险因素: High
基本分数: 7.5
时间分数: 5.9
矢量: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 分数来源: CVE-2020-1745
CVSS v3
风险因素: Critical
基本分数: 9.8
时间分数: 8.8
矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
时间矢量: CVSS:3.0/E:P/RL:O/RC:C
漏洞信息
CPE: cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools, p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle, p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-mail, p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-pkix, p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-prov, p-cpe:/a:redhat:enterprise_linux:eap7-codehaus-jackson, p-cpe:/a:redhat:enterprise_linux:eap7-codehaus-jackson-core-asl, p-cpe:/a:redhat:enterprise_linux:eap7-codehaus-jackson-jaxrs, p-cpe:/a:redhat:enterprise_linux:eap7-codehaus-jackson-mapper-asl, p-cpe:/a:redhat:enterprise_linux:eap7-codehaus-jackson-xc, p-cpe:/a:redhat:enterprise_linux:eap7-cryptacular, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-el, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-el-impl, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-javamail, p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf, p-cpe:/a:redhat:enterprise_linux:eap7-hal-console, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-commons-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-search, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-search-backend-jgroups, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-search-backend-jms, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-search-engine, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-search-orm, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-search-serialization-avro, p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client, p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-core, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind, p-cpe:/a:redhat:enterprise_linux:eap7-jasypt, p-cpe:/a:redhat:enterprise_linux:eap7-javaee-security-soteria, p-cpe:/a:redhat:enterprise_linux:eap7-javaee-security-soteria-enterprise, p-cpe:/a:redhat:enterprise_linux:eap7-jaxbintros, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-batch-api_1.0_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-classfilewriter, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-common-beans, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-api_3.2_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-invocation, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-modules, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-openjdk-orb, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-remoting, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-remoting-jmx, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-security-negotiation, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-threads, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-websocket-api_1.1_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-common, p-cpe:/a:redhat:enterprise_linux:eap7-jgroups, p-cpe:/a:redhat:enterprise_linux:eap7-jgroups-azure, p-cpe:/a:redhat:enterprise_linux:eap7-jgroups-kubernetes, p-cpe:/a:redhat:enterprise_linux:eap7-mod_cluster, p-cpe:/a:redhat:enterprise_linux:eap7-narayana, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util, p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-core, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-profile-api, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-saml-api, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-saml-impl, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-security-api, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-security-impl, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-soap-api, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-xacml-api, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-xacml-impl, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-xacml-saml-api, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-xacml-saml-impl, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-xmlsec-api, p-cpe:/a:redhat:enterprise_linux:eap7-opensaml-xmlsec-impl, p-cpe:/a:redhat:enterprise_linux:eap7-picketbox, p-cpe:/a:redhat:enterprise_linux:eap7-picketbox-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider, p-cpe:/a:redhat:enterprise_linux:eap7-slf4j-jboss-logmanager, p-cpe:/a:redhat:enterprise_linux:eap7-smallrye-config, p-cpe:/a:redhat:enterprise_linux:eap7-smallrye-health, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-weld-cdi-2.0-api, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-naming-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-ws-commons-xmlschema, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-bindings, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-policy, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-common, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-dom, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-policy-stax, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-stax
必需的 KB 项: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可利用: true
易利用性: Exploits are available
补丁发布日期: 2020/5/11
漏洞发布日期: 2019/11/18
参考资料信息
CVE: CVE-2019-10172, CVE-2019-12423, CVE-2019-17573, CVE-2020-10705, CVE-2020-10719, CVE-2020-1719, CVE-2020-1729, CVE-2020-1732, CVE-2020-1745, CVE-2020-1757, CVE-2020-7226