RHEL 7:RHEL 7 上的 Red Hat JBoss Enterprise Application Platform 7.4.5 安全更新(中等)(RHSA-2022: 4918)
critical Nessus 插件 ID 161911
语言:
简介
远程 Red Hat 主机缺少一个或多个安全更新。描述
远程 Redhat Enterprise Linux 7 主机上安装的多个程序包受到 RHSA-2022: 4918 公告中提及的多个漏洞影响。- jackson-databind:通过大深度嵌套对象造成拒绝服务 (CVE-2020-36518)
- netty-codec:Bzip2Decoder 不允许为解压缩的数据设置大小限制 (CVE-2021-37136)
- netty-codec:SnappyFrameDecoder 不限制区块长度,并且可能以不必要的方式缓冲可跳过的区块 (CVE-2021-37137)
- h2:控制台中存在远程代码执行漏洞 (CVE-2021-42392)
- netty:标头名称中的控制字符可能导致 HTTP 请求走私 (CVE-2021-43797)
- xnio:org.xnio.StreamConnection.notifyReadClosed 登录到调试,而不是 stderr (CVE-2022-0084)
- jboss-client:远程客户端事务中存在内存泄漏漏洞 (CVE-2022-0853)
- wildfly:EJB 会话上下文的 Wildfly 管理在启用 Elytron 安全性的情况下会返回错误的调用程序主体 (CVE-2022-0866)
- undertow:EAP 7 中对 400 的双重 AJP 响应会导致 CPING 失败 (CVE-2022-1319)
- OpenJDK:因 XMLEntityScanner 未正确处理换行符而造成无限循环 (JAXP, 8270646) (CVE-2022-21299)
- mysql-connector-java:存在难以利用的漏洞,允许具有网络访问权限的高权限攻击者通过多种协议破坏 MySQL Connectors (CVE-2022-21363)
- h2:通过 JNDI 从远程服务器加载自定义类 (CVE-2022-23221)
- xerces-j2:处理特制的 XML 文档负载时发生无限循环 (CVE-2022-23437)
- artemis-commons:Apache ActiveMQ Artemis 存在 DoS 漏洞 (CVE-2022-23913)
- Moment.js:moment.locale 中存在路径遍历漏洞 (CVE-2022-24785)
请注意,Nessus 尚未测试这些问题,而是只依靠应用程序自我报告的版本号来判断。
解决方案
更新受影响的程序包。另见
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2021-42392
https://access.redhat.com/security/cve/CVE-2021-43797
https://access.redhat.com/security/cve/CVE-2022-0084
https://access.redhat.com/security/cve/CVE-2022-0853
https://access.redhat.com/security/cve/CVE-2022-0866
https://access.redhat.com/security/cve/CVE-2022-1319
https://access.redhat.com/security/cve/CVE-2022-21299
https://access.redhat.com/security/cve/CVE-2022-21363
https://access.redhat.com/security/cve/CVE-2022-23221
https://access.redhat.com/security/cve/CVE-2022-23437
https://access.redhat.com/security/cve/CVE-2022-23913
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/errata/RHSA-2022:4918
https://bugzilla.redhat.com/2004133
https://bugzilla.redhat.com/2004135
https://bugzilla.redhat.com/2031958
https://bugzilla.redhat.com/2039403
https://bugzilla.redhat.com/2041472
https://bugzilla.redhat.com/2044596
https://bugzilla.redhat.com/2047200
https://bugzilla.redhat.com/2047343
https://bugzilla.redhat.com/2060725
https://bugzilla.redhat.com/2060929
https://bugzilla.redhat.com/2063601
https://bugzilla.redhat.com/2064226
https://bugzilla.redhat.com/2064698
插件详情
严重性: Critical
ID: 161911
文件名: redhat-RHSA-2022-4918.nasl
版本: 1.8
类型: local
代理: unix
发布时间: 2022/6/6
最近更新时间: 2023/10/26
支持的传感器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
风险信息
VPR
风险因素: Medium
分数: 6.7
CVSS v2
风险因素: Critical
基本分数: 10
时间分数: 8.3
矢量: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 分数来源: CVE-2022-23221
CVSS v3
风险因素: Critical
基本分数: 9.8
时间分数: 9.1
矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
时间矢量: CVSS:3.0/E:F/RL:O/RC:C
漏洞信息
CPE: cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools, p-cpe:/a:redhat:enterprise_linux:eap7-h2database, p-cpe:/a:redhat:enterprise_linux:eap7-hal-console, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator, p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base, p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8, p-cpe:/a:redhat:enterprise_linux:eap7-jberet, p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core, p-cpe:/a:redhat:enterprise_linux:eap7-log4j, p-cpe:/a:redhat:enterprise_linux:eap7-netty, p-cpe:/a:redhat:enterprise_linux:eap7-netty-all, p-cpe:/a:redhat:enterprise_linux:eap7-netty-buffer, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-dns, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-haproxy, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-http, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-http2, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-memcache, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-mqtt, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-redis, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-smtp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-socks, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-stomp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-xml, p-cpe:/a:redhat:enterprise_linux:eap7-netty-common, p-cpe:/a:redhat:enterprise_linux:eap7-netty-handler, p-cpe:/a:redhat:enterprise_linux:eap7-netty-handler-proxy, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver-dns, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver-dns-classes-macos, p-cpe:/a:redhat:enterprise_linux:eap7-netty-tcnative, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-classes-epoll, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-classes-kqueue, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-native-epoll, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-native-unix-common, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-rxtx, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-sctp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-udt, p-cpe:/a:redhat:enterprise_linux:eap7-snakeyaml, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-xerces-j2
必需的 KB 项: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可利用: true
易利用性: Exploits are available
补丁发布日期: 2022/6/6
漏洞发布日期: 2021/10/19
参考资料信息
CVE: CVE-2020-36518, CVE-2021-37136, CVE-2021-37137, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0853, CVE-2022-0866, CVE-2022-1319, CVE-2022-21299, CVE-2022-21363, CVE-2022-23221, CVE-2022-23437, CVE-2022-23913, CVE-2022-24785