SB2020031305 - Multiple vulnerabilities in JBoss Enterprise Application Platform

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2019-0205)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing user-supplied input. A remote attacker can pass malicious input to the application and consume all available system resources or cause denial of service conditions.

2) Input validation error (CVE-ID: CVE-2019-0210)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in TJSONProtocol and TSimpleJSONProtocol. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

3) Protection mechanism failure (CVE-ID: CVE-2019-10086)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.

4) XML External Entity Reference (CVE-ID: CVE-2019-12400)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to the loading of XML parsing code from an untrusted source. A remote attacker can exploit this vulnerability to launch further attacks on the system when validating signed documents. 

5) Cryptographic issues (CVE-ID: CVE-2019-14887)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in Wildfly. The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use. A remote attacker can abuse this issue to gain access to sensitive information.

6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-20444)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to incorrect processing of HTTP headers without the colon within the HttpObjectDecoder.java file in Netty. A remote attacker can send a specially crafted HTTP request to the application and perform HTTP request smuggling attack.

7) HTTP response splitting (CVE-ID: CVE-2019-20445)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not corrector process CRLF character sequences within the HttpObjectDecoder.java in Netty, which allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-7238)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to improper input validation when processing a whitespace before the colon in HTTP headers (e.g. "Transfer-Encoding : chunked") and a later Content-Length header. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

This issue exists because of an incomplete fix for CVE-2019-16869 (SB2019092616).

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2020:0811<br>
• https://access.redhat.com/errata/RHSA-2020:0806<br>
• https://access.redhat.com/errata/RHSA-2020:0805<br>
• https://access.redhat.com/errata/RHSA-2020:0804