Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update
🔗 CVE IDs covered (21)
📋 Description
CVE-2019-9511 — HTTP/2: large amount of data requests leads to denial of service CVE-2019-9512 — HTTP/2: flood using PING frames results in unbounded memory growth CVE-2019-9514 — HTTP/2: flood using HEADERS frames results in unbounded memory growth CVE-2019-9515 — HTTP/2: flood using SETTINGS frames results in unbounded memory growth CVE-2019-10086 — apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default CVE-2019-10174 — infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods CVE-2019-12384 — jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution CVE-2019-14379 — jackson-databind: default typing mishandling leading to remote code execution CVE-2019-14843 — wildfly-security-manager: security manager authorization bypass CVE-2019-14888 — undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS CVE-2019-16869 — netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers CVE-2019-17531 — jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* CVE-2019-20444 — netty: HTTP request smuggling CVE-2019-20445 — netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header CVE-2020-1710 — EAP: field-name is not parsed in accordance to RFC7230 CVE-2020-1745 — undertow: AJP File Read/Inclusion Vulnerability CVE-2020-1757 — undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass CVE-2021-4104 — log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender CVE-2022-23302 — log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink CVE-2022-23305 — log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender CVE-2022-23307 — log4j: Unsafe deserialization flaw in Chainsaw log viewer
🔗 References (27)
- selfhttps://access.redhat.com/errata/RHSA-2024:5856
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1
- externalhttps://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1703469
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1725807
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1735645
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1735744
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1735745
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1737517
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1741860
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1752770
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1752980
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758619
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1767483
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1772464
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1775293
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1793970
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1798509
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1798524
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1807305
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2031667
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2041949
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2041959
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2041967
- externalhttps://issues.redhat.com/browse/JBEAP-24826
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_5856.json