RHEL 9:RHEL 9 上的 Red Hat JBoss Enterprise Application Platform 7.4.10 (RHSA-2023: 1514)
critical Nessus 插件 ID 173691
语言:
简介
远程 Red Hat 主机缺少一个或多个安全更新。描述
远程 Redhat Enterprise Linux 9 主机上安装的程序包受到 RHSA-2023: 1514 公告中提及的多个漏洞的影响。- SnakeYaml:构造函数反序列化远程代码执行 (CVE-2022-1471)
- snakeyaml:java.base/java.util.ArrayList.hashCode 中有未捕获的异常 (CVE-2022-38752)
- hsqldb:不受信任的输入可能导致 RCE 攻击 (CVE-2022-41853)
- dev-java/snakeyaml:通过堆栈溢出造成的 DoS (CVE-2022-41854)
- codec-haproxy:HAProxyMessageDecoder 堆栈耗尽 DoS (CVE-2022-41881)
- undertow:undertow 客户端不检查 https 连接中的服务器身份 (CVE-2022-4492)
- apache-james-mime4j:MIME4J TempFileStorageProvider 中的临时文件信息泄露 (CVE-2022-45787)
- RESTEasy:创建不安全的临时文件 (CVE-2023-0482)
- Undertow:关闭期间 SslConduit 中出现无限循环 (CVE-2023-1108)
请注意,Nessus 尚未测试这些问题,而是只依据应用程序自我报告的版本号进行判断。
解决方案
更新受影响的程序包。另见
http://www.nessus.org/u?327e7d12
http://www.nessus.org/u?95a15247
http://www.nessus.org/u?9a7b4876
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/errata/RHSA-2023:1514
https://bugzilla.redhat.com/show_bug.cgi?id=2129710
https://bugzilla.redhat.com/show_bug.cgi?id=2136141
https://bugzilla.redhat.com/show_bug.cgi?id=2150009
https://bugzilla.redhat.com/show_bug.cgi?id=2151988
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
https://bugzilla.redhat.com/show_bug.cgi?id=2153379
https://bugzilla.redhat.com/show_bug.cgi?id=2158916
https://bugzilla.redhat.com/show_bug.cgi?id=2166004
https://bugzilla.redhat.com/show_bug.cgi?id=2174246
https://issues.redhat.com/browse/JBEAP-23572
https://issues.redhat.com/browse/JBEAP-24122
https://issues.redhat.com/browse/JBEAP-24172
https://issues.redhat.com/browse/JBEAP-24182
https://issues.redhat.com/browse/JBEAP-24220
https://issues.redhat.com/browse/JBEAP-24254
https://issues.redhat.com/browse/JBEAP-24292
https://issues.redhat.com/browse/JBEAP-24339
https://issues.redhat.com/browse/JBEAP-24341
https://issues.redhat.com/browse/JBEAP-24363
https://issues.redhat.com/browse/JBEAP-24372
https://issues.redhat.com/browse/JBEAP-24380
https://issues.redhat.com/browse/JBEAP-24383
https://issues.redhat.com/browse/JBEAP-24384
https://issues.redhat.com/browse/JBEAP-24385
https://issues.redhat.com/browse/JBEAP-24395
https://issues.redhat.com/browse/JBEAP-24507
https://issues.redhat.com/browse/JBEAP-24535
https://issues.redhat.com/browse/JBEAP-24574
https://issues.redhat.com/browse/JBEAP-24588
插件详情
严重性: Critical
ID: 173691
文件名: redhat-RHSA-2023-1514.nasl
版本: 1.3
类型: local
代理: unix
发布时间: 2023/3/30
最近更新时间: 2024/4/28
支持的传感器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
风险信息
VPR
风险因素: Medium
分数: 6.7
CVSS v2
风险因素: Critical
基本分数: 10
时间分数: 7.8
矢量: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 分数来源: CVE-2022-41853
CVSS v3
风险因素: Critical
基本分数: 9.8
时间分数: 8.8
矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
时间矢量: CVSS:3.0/E:P/RL:O/RC:C
漏洞信息
CPE: cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native, p-cpe:/a:redhat:enterprise_linux:eap7-apache-mime4j, p-cpe:/a:redhat:enterprise_linux:eap7-artemis-native, p-cpe:/a:redhat:enterprise_linux:eap7-artemis-native-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-artemis-wildfly-integration, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-component-annotations, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-el-api_3.0_spec, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-metadata, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-metadata-appclient, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-metadata-common, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-metadata-ear, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-metadata-ejb, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-metadata-web, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli, p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core, p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-cxf, p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-spi, p-cpe:/a:redhat:enterprise_linux:eap7-netty, p-cpe:/a:redhat:enterprise_linux:eap7-netty-buffer, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-dns, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-haproxy, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-http, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-http2, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-memcache, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-mqtt, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-redis, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-smtp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-socks, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-stomp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-codec-xml, p-cpe:/a:redhat:enterprise_linux:eap7-netty-common, p-cpe:/a:redhat:enterprise_linux:eap7-netty-handler, p-cpe:/a:redhat:enterprise_linux:eap7-netty-handler-proxy, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver-dns, p-cpe:/a:redhat:enterprise_linux:eap7-netty-resolver-dns-classes-macos, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-classes-epoll, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-classes-kqueue, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-native-epoll, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-native-unix-common, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-rxtx, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-sctp, p-cpe:/a:redhat:enterprise_linux:eap7-netty-transport-udt, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema, p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11, p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider, p-cpe:/a:redhat:enterprise_linux:eap7-snakeyaml, p-cpe:/a:redhat:enterprise_linux:eap7-undertow, p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk17, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs, p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-commons, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-spi, p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-hibernate-cache-v53, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc, p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator
必需的 KB 项: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可利用: true
易利用性: Exploits are available
补丁发布日期: 2023/3/29
漏洞发布日期: 2022/9/5
参考资料信息
CVE: CVE-2022-1471, CVE-2022-38752, CVE-2022-41853, CVE-2022-41854, CVE-2022-41881, CVE-2022-4492, CVE-2022-45787, CVE-2023-0482, CVE-2023-1108