Detections
Analytics

RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.10 security update on RHEL 7 (Moderate) (RHSA-2021:5150)

high Nessus Plugin ID 156106

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for Red Hat JBoss Enterprise Application Platform 7.3.10.

Description

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5150 advisory.

 - undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)

 - wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

 - wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users (CVE-2021-3717)

 - resteasy: Error message exposes endpoint class information (CVE-2021-20289)

 - jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)

 - xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL Red Hat JBoss Enterprise Application Platform 7.3.10 package based on the guidance in RHSA-2021:5150.

See Also

http://www.nessus.org/u?34e23b20

http://www.nessus.org/u?39676da8

http://www.nessus.org/u?fd087063

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/errata/RHSA-2021:5150

https://bugzilla.redhat.com/show_bug.cgi?id=1935927

https://bugzilla.redhat.com/show_bug.cgi?id=1977362

https://bugzilla.redhat.com/show_bug.cgi?id=1981407

https://bugzilla.redhat.com/show_bug.cgi?id=1991305

https://bugzilla.redhat.com/show_bug.cgi?id=1995259

https://bugzilla.redhat.com/show_bug.cgi?id=2011190

https://issues.redhat.com/browse/JBEAP-22144

https://issues.redhat.com/browse/JBEAP-22314

https://issues.redhat.com/browse/JBEAP-22332

https://issues.redhat.com/browse/JBEAP-22343

https://issues.redhat.com/browse/JBEAP-22363

https://issues.redhat.com/browse/JBEAP-22490

https://issues.redhat.com/browse/JBEAP-22501

https://issues.redhat.com/browse/JBEAP-22523

https://issues.redhat.com/browse/JBEAP-22734

Plugin Details

Severity: High

ID: 156106

File Name: redhat-RHSA-2021-5150.nasl

Version: 1.8

Type: local

Agent: unix

Published: 12/15/2021

Updated: 4/28/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-40690

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-3717

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services, p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator, p-cpe:/a:redhat:enterprise_linux:eap7-jakarta-el, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly15.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly16.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly17.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly18.0-server, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0, p-cpe:/a:redhat:enterprise_linux:eap7-jsoup, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-bindings, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-policy, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-common, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-dom, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-policy-stax, p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-stax, p-cpe:/a:redhat:enterprise_linux:eap7-xml-security, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/15/2021

Vulnerability Publication Date: 3/26/2021

Reference Information

CVE: CVE-2021-20289, CVE-2021-3629, CVE-2021-3642, CVE-2021-3717, CVE-2021-37714, CVE-2021-40690

CWE: 200, 203, 209, 400, 552

IAVA: 2021-A-0556

RHSA: 2021:5150