SB2017082209 - Multiple vulnerabilities in JBoss Enterprise Application Platform
Published: August 22, 2017 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) XML External Entity injection (CVE-ID: CVE-2017-7464)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.
2) Information disclosure (CVE-ID: CVE-2016-6311)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers.
Remediation
Install update from vendor's website.
References
- http://www.securityfocus.com/bid/98450
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7464
- https://access.redhat.com/errata/RHSA-2017:3454
- https://access.redhat.com/errata/RHSA-2017:3455
- https://access.redhat.com/errata/RHSA-2017:3456
- https://access.redhat.com/errata/RHSA-2017:3458
- https://bugzilla.redhat.com/show_bug.cgi?id=1362735