Action not permitted
Modal body text goes here.
CVE-2022-23307
Vulnerability from cvelistv5
Published
2022-01-18 15:25
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.
References
▼ | URL | Tags | |
---|---|---|---|
security@apache.org | https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh | Mailing List, Vendor Advisory | |
security@apache.org | https://logging.apache.org/log4j/1.2/index.html | Vendor Advisory | |
security@apache.org | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory | |
security@apache.org | https://www.oracle.com/security-alerts/cpujul2022.html | Patch, Third Party Advisory |
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Log4j 1.x |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T03:36:20.396Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://logging.apache.org/log4j/1.2/index.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Log4j 1.x", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "1.2.1", "versionType": "custom" }, { "lessThanOrEqual": "2.0-alpha1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "@kingkk" } ], "descriptions": [ { "lang": "en", "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists." } ], "metrics": [ { "other": { "content": { "other": "Critical" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-25T16:49:30", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://logging.apache.org/log4j/1.2/index.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "source": { "discovery": "UNKNOWN" }, "title": " A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.", "workarounds": [ { "lang": "en", "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2022-23307", "STATE": "PUBLIC", "TITLE": " A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution." }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Log4j 1.x", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "1.2.1" }, { "version_affected": "\u003c=", "version_value": "2.0-alpha1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "@kingkk" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "Critical" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data" } ] } ] }, "references": { "reference_data": [ { "name": "https://logging.apache.org/log4j/1.2/index.html", "refsource": "MISC", "url": "https://logging.apache.org/log4j/1.2/index.html" }, { "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "refsource": "MISC", "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0." } ] } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-23307", "datePublished": "2022-01-18T15:25:23", "dateReserved": "2022-01-17T00:00:00", "dateUpdated": "2024-08-03T03:36:20.396Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-23307\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-01-18T16:15:08.403\",\"lastModified\":\"2023-02-24T15:29:49.257\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.\"},{\"lang\":\"es\",\"value\":\"CVE-2020-9493 identific\u00f3 un problema de deserializaci\u00f3n presente en Apache Chainsaw. Versiones anteriores a Chainsaw V2.0 Chainsaw era un componente de Apache Log4j versiones 1.2.x donde se presenta el mismo problema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":9.0},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.0\",\"matchCriteriaId\":\"4A0D9BED-411E-4E62-A281-237D3C90FFEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2\",\"versionEndExcluding\":\"2.0\",\"matchCriteriaId\":\"56EF3EFE-3632-4CDD-90EF-D2E614E05886\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.18.1\",\"matchCriteriaId\":\"EB681829-2B2A-4BDB-8DC5-B3C7D359F4C5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A62E2A25-1AD7-4B4B-9D1B-F0DEA4550557\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0331158C-BBE0-42DB-8180-EB1FCD290567\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"B602F9E8-1580-436C-A26D-6E6F8121A583\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"77C3DD16-1D81-40E1-B312-50FBD275507C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"81DAC8C0-D342-44B5-9432-6B88D389584F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E869C417-C0E6-4FC3-B406-45598A1D1906\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C68536CA-C7E2-4228-A6B8-F0DB6A9D29EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C4A94B36-479F-48F2-9B9E-ACEA2589EF48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1214FDF-357A-4BB9-BADE-50FB2BD16D10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B21E6EEF-2AB7-4E96-B092-1F49D11B4175\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.0.0.4.4\",\"matchCriteriaId\":\"61A2E42A-4EF2-437D-A0EC-4A6A4F1EBD11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5933FEA2-B79E-4EE7-B821-54D676B45734\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7637F8B-15F1-42E2-BE18-E1FF7C66587D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E43D793A-7756-4D58-A8ED-72DC4EC9CEA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.2.1.1.1\",\"matchCriteriaId\":\"86EF205C-9CB1-4772-94D1-0B744EF3342D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6ED0EE39-C080-4E75-AE0F-3859B57EF851\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E8758C8-87D3-450A-878B-86CE8C9FC140\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"054B56E0-F11B-4939-B7E1-E722C67A041A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"250A493C-E052-4978-ABBE-786DC8038448\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E2B771B-230A-4811-94D7-065C2722E428\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E67501BE-206A-49FD-8CBA-22935DF917F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.2.8.0\",\"matchCriteriaId\":\"E8E7FBA9-0FFF-4C86-B151-28C17A142E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.2.8.0\",\"matchCriteriaId\":\"55BBCD48-BCC6-4E19-A4CE-970E524B9FF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1489DDA7-EDBE-404C-B48D-F0B52B741708\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"535BC19C-21A1-48E3-8CC0-B276BA5D494E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D7EA92D-9F26-4292-991A-891597337DFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"228DA523-4D6D-48C5-BDB0-DB1A60F23F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9AB179A8-DFB7-4DCF-8DE3-096F376989F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.0.29\",\"matchCriteriaId\":\"B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30501D23-5044-477A-8DC3-7610126AEFD7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB7D0A30-3986-49AB-B7F3-DAE0024504BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F14A818F-AA16-4438-A3E4-E64C9287AC66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04BCDC24-4A21-473C-8733-0D9CFB38A752\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://logging.apache.org/log4j/1.2/index.html\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}" } }
rhsa-2022_1299
Vulnerability from csaf_redhat
Published
2022-04-11 13:00
Modified
2024-11-15 14:46
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)
* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)
* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1299", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1299.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-15T14:46:14+00:00", "generator": { "date": "2024-11-15T14:46:14+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1299", "initial_release_date": "2022-04-11T13:00:49+00:00", "revision_history": [ { "date": "2022-04-11T13:00:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:46:14+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4.4 release", "product": { "name": "EAP 7.4.4 release", "product_id": "EAP 7.4.4 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0524
Vulnerability from csaf_redhat
Published
2022-02-14 17:10
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)
* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)
* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)
* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0524", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0524.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update", "tracking": { "current_release_date": "2024-11-15T14:42:43+00:00", "generator": { "date": "2024-11-15T14:42:43+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0524", "initial_release_date": "2022-02-14T17:10:12+00:00", "revision_history": [ { "date": "2022-02-14T17:10:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:10:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:43+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product": { "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } }, { "category": "product_version", "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-lib@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-selinux@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-lib@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-selinux@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0446
Vulnerability from csaf_redhat
Published
2022-02-07 13:43
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 security update
Notes
Topic
A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.4.10 serves as a replacement for Red Hat Single Sign-On 7.4.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.4.10 serves as a replacement for Red Hat Single Sign-On 7.4.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0446", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2064", "url": "https://issues.redhat.com/browse/CIAM-2064" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0446.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 security update", "tracking": { "current_release_date": "2024-11-15T14:42:22+00:00", "generator": { "date": "2024-11-15T14:42:22+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0446", "initial_release_date": "2022-02-07T13:43:49+00:00", "revision_history": [ { "date": "2022-02-07T13:43:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:43:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:22+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.4.10", "product": { "name": "Red Hat Single Sign-On 7.4.10", "product_id": "Red Hat Single Sign-On 7.4.10", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0450
Vulnerability from csaf_redhat
Published
2022-02-07 14:45
Modified
2022-02-07 14:45
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 for OpenShift image security and enhancement update
Notes
Topic
A new image is available for Red Hat Single Sign-On 7.5.1, running on OpenShift Container Platform 3.10 and 3.11, and 4.9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
This erratum releases a new image for Red Hat Single Sign-On 7.5.1 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.9 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2023 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.5.1, running on OpenShift Container Platform 3.10 and 3.11, and 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.5.1 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.9 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0450", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_0450.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 for OpenShift image security and enhancement update", "tracking": { "current_release_date": "2022-02-07T14:45:00Z", "generator": { "date": "2023-07-01T05:19:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.18.0" } }, "id": "RHSA-2022:0450", "initial_release_date": "2022-02-07T14:45:00Z", "revision_history": [ { "date": "2022-02-07T14:45:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "category": "product_version", "name": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "product": { "name": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "product_id": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9" } }, { "category": "product_version", "name": "rh-sso-7/sso75-openshift-rhel8:7.5-17", "product": { "name": "rh-sso-7/sso75-openshift-rhel8:7.5-17", "product_id": "rh-sso-7/sso75-openshift-rhel8:7.5-17" } } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9" }, "product_reference": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso75-openshift-rhel8:7.5-17 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" }, "product_reference": "rh-sso-7/sso75-openshift-rhel8:7.5-17", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" }, { "category": "external", "summary": "CVE-2021-4104", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "bz#2031667: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "release_date": "2021-12-10T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2021-12-13T00:00:00Z", "details": "Moderate" } ], "title": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "category": "external", "summary": "CVE-2022-23302", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "bz#2041949: CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" } ], "release_date": "2022-01-18T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2022-01-18T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" }, { "category": "external", "summary": "CVE-2022-23305", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "bz#2041959: CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" } ], "release_date": "2022-01-18T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2022-01-18T00:00:00Z", "details": "Important" } ], "title": "CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" }, { "category": "external", "summary": "CVE-2022-23307", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "bz#2041967: CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" } ], "release_date": "2022-01-18T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2022-01-18T00:00:00Z", "details": "Important" } ], "title": "CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0469
Vulnerability from csaf_redhat
Published
2022-02-08 13:56
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.0.1 release and security update
Notes
Topic
Red Hat AMQ Streams 2.0.1 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.0.1 serves as a replacement for Red Hat AMQ Streams 2.0.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat AMQ Streams 2.0.1 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.0.1 serves as a replacement for Red Hat AMQ Streams 2.0.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0469", "url": "https://access.redhat.com/errata/RHSA-2022:0469" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=2.0.1", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=2.0.1" }, { "category": "external", "summary": "2034388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0469.json" } ], "title": "Red Hat Security Advisory: Red Hat AMQ Streams 2.0.1 release and security update", "tracking": { "current_release_date": "2024-11-15T14:42:03+00:00", "generator": { "date": "2024-11-15T14:42:03+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0469", "initial_release_date": "2022-02-08T13:56:51+00:00", "revision_history": [ { "date": "2022-02-08T13:56:51+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-08T13:56:51+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:03+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat AMQ Streams 2.0.1", "product": { "name": "Red Hat AMQ Streams 2.0.1", "product_id": "Red Hat AMQ Streams 2.0.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_streams:2" } } } ], "category": "product_family", "name": "Red Hat JBoss AMQ" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Jordy Versmissen" ] } ], "cve": "CVE-2021-4178", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2021-12-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034388" } ], "notes": [ { "category": "description", "text": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.", "title": "Vulnerability description" }, { "category": "summary", "text": "kubernetes-client: Insecure deserialization in unmarshalYaml method", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CodeReady Studio 12 is not affected by this flaw because it does not ship a vulnerable version of kubernetes-client; the version that it ships does not use SnakeYAML.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4178" }, { "category": "external", "summary": "RHBZ#2034388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4178", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4178" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178" } ], "release_date": "2022-01-05T15:05:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T13:56:51+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0469" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "kubernetes-client: Insecure deserialization in unmarshalYaml method" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T13:56:51+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0469" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat AMQ Streams 2.0.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T13:56:51+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0469" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat AMQ Streams 2.0.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T13:56:51+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0469" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat AMQ Streams 2.0.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_1297
Vulnerability from csaf_redhat
Published
2022-04-11 13:00
Modified
2024-11-15 14:47
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)
* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)
* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1297", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22900", "url": "https://issues.redhat.com/browse/JBEAP-22900" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1297.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-15T14:47:10+00:00", "generator": { "date": "2024-11-15T14:47:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1297", "initial_release_date": "2022-04-11T13:00:18+00:00", "revision_history": [ { "date": "2022-04-11T13:00:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:47:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0447
Vulnerability from csaf_redhat
Published
2022-02-07 13:55
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 7
Notes
Topic
New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.5.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* undertow: client side invocation timeout raised when calling over HTTP and HTTP2 (CVE-2021-3859)
* log4j: Remote code execution in Log4j 1.x when application is configured to
use JMSSink (CVE-2022-23302)
* log4j: SQL injection in Log4j 1.x when application is configured to use
JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to
use JMSAppender (CVE-2021-4104)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and HTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0447", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0447.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 7", "tracking": { "current_release_date": "2024-11-15T14:41:49+00:00", "generator": { "date": "2024-11-15T14:41:49+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0447", "initial_release_date": "2022-02-07T13:55:22+00:00", "revision_history": [ { "date": "2022-02-07T13:55:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:55:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:49+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_5459
Vulnerability from csaf_redhat
Published
2022-06-30 19:00
Modified
2024-11-15 14:53
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)
* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5459", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873620" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5459.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-11-15T14:53:47+00:00", "generator": { "date": "2024-11-15T14:53:47+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:5459", "initial_release_date": "2022-06-30T19:00:12+00:00", "revision_history": [ { "date": "2022-06-30T19:00:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:00:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:53:47+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0436
Vulnerability from csaf_redhat
Published
2022-02-03 18:30
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0436", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0436.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2024-11-15T14:41:41+00:00", "generator": { "date": "2024-11-15T14:41:41+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0436", "initial_release_date": "2022-02-03T18:30:42+00:00", "revision_history": [ { "date": "2022-02-03T18:30:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:30:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:41+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } }, { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0291
Vulnerability from csaf_redhat
Published
2022-01-26 14:54
Modified
2024-11-15 14:40
Summary
Red Hat Security Advisory: parfait:0.5 security update
Notes
Topic
An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0291", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0291.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-15T14:40:58+00:00", "generator": { "date": "2024-11-15T14:40:58+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0291", "initial_release_date": "2022-01-26T14:54:58+00:00", "revision_history": [ { "date": "2022-01-26T14:54:58+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:54:58+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:40:58+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8020020220124231008:1c5d4e8a", "product": { "name": "parfait:0.5:8020020220124231008:1c5d4e8a", "product_id": "parfait:0.5:8020020220124231008:1c5d4e8a", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product_id": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, "product_reference": "parfait:0.5:8020020220124231008:1c5d4e8a", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0437
Vulnerability from csaf_redhat
Published
2022-02-03 18:43
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 6.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This asynchronous patch is an update for JBoss Enterprise Application Platform 6.4. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0437", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0437.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2024-11-15T14:41:57+00:00", "generator": { "date": "2024-11-15T14:41:57+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0437", "initial_release_date": "2022-02-03T18:43:46+00:00", "revision_history": [ { "date": "2022-02-03T18:43:46+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:43:46+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:57+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4 log4j async", "product": { "name": "EAP 6.4 log4j async", "product_id": "EAP 6.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0444
Vulnerability from csaf_redhat
Published
2022-02-07 13:41
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJDK for OpenShift image security update
Notes
Topic
A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJDK, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
This erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJDK, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0444", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2060", "url": "https://issues.redhat.com/browse/CIAM-2060" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0444.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJDK for OpenShift image security update", "tracking": { "current_release_date": "2024-11-15T14:42:30+00:00", "generator": { "date": "2024-11-15T14:42:30+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0444", "initial_release_date": "2022-02-07T13:41:18+00:00", "revision_history": [ { "date": "2022-02-07T13:41:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:41:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:30+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_id": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_identification_helper": { "purl": "pkg:oci/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openshift-rhel8\u0026tag=7.4-45" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" }, "product_reference": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0448
Vulnerability from csaf_redhat
Published
2022-02-07 13:54
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8
Notes
Topic
New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* undertow: client side invocation timeout raised when calling over HTTP and
HTTP2 (CVE-2021-3859)
* log4j: Remote code execution in Log4j 1.x when application is configured to
use JMSSink (CVE-2022-23302)
* log4j: SQL injection in Log4j 1.x when application is configured to use
JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to
use JMSAppender (CVE-2021-4104)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and\nHTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0448", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0448.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8", "tracking": { "current_release_date": "2024-11-15T14:41:42+00:00", "generator": { "date": "2024-11-15T14:41:42+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0448", "initial_release_date": "2022-02-07T13:54:48+00:00", "revision_history": [ { "date": "2022-02-07T13:54:48+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:54:48+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:42+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0445
Vulnerability from csaf_redhat
Published
2022-02-07 14:22
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJ9 for OpenShift image security update
Notes
Topic
A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJ9, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
This erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJ9, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0445", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2059", "url": "https://issues.redhat.com/browse/CIAM-2059" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0445.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJ9 for OpenShift image security update", "tracking": { "current_release_date": "2024-11-15T14:42:37+00:00", "generator": { "date": "2024-11-15T14:42:37+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0445", "initial_release_date": "2022-02-07T14:22:21+00:00", "revision_history": [ { "date": "2022-02-07T14:22:21+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:22:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:37+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0442
Vulnerability from csaf_redhat
Published
2022-02-07 11:07
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: log4j security update
Notes
Topic
An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Log4j is a tool to help the programmer output log statements to a variety of output targets.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0442", "url": "https://access.redhat.com/errata/RHSA-2022:0442" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0442.json" } ], "title": "Red Hat Security Advisory: log4j security update", "tracking": { "current_release_date": "2024-11-15T14:42:45+00:00", "generator": { "date": "2024-11-15T14:42:45+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0442", "initial_release_date": "2022-02-07T11:07:00+00:00", "revision_history": [ { "date": "2022-02-07T11:07:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T11:07:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:45+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_3.src", "product": { "name": "log4j-0:1.2.17-17.el7_3.src", "product_id": "log4j-0:1.2.17-17.el7_3.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_3?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-18.el7_4.src", "product": { "name": "log4j-0:1.2.17-18.el7_4.src", "product_id": "log4j-0:1.2.17-18.el7_4.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-18.el7_4?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.14-6.6.el6_10.src", "product": { "name": "log4j-0:1.2.14-6.6.el6_10.src", "product_id": "log4j-0:1.2.14-6.6.el6_10.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.6.el6_10?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_3.noarch", "product": { "name": "log4j-0:1.2.17-17.el7_3.noarch", "product_id": "log4j-0:1.2.17-17.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-17.el7_3.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-17.el7_3.noarch", "product_id": "log4j-javadoc-0:1.2.17-17.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-17.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-17.el7_3.noarch", "product": { "name": "log4j-manual-0:1.2.17-17.el7_3.noarch", "product_id": "log4j-manual-0:1.2.17-17.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-17.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-18.el7_4.noarch", "product": { "name": "log4j-0:1.2.17-18.el7_4.noarch", "product_id": "log4j-0:1.2.17-18.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-18.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "product_id": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-18.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-18.el7_4.noarch", "product": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch", "product_id": "log4j-manual-0:1.2.17-18.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-18.el7_4?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.6.el6_10.x86_64", "product": { "name": "log4j-0:1.2.14-6.6.el6_10.x86_64", "product_id": "log4j-0:1.2.14-6.6.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.6.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "product": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "product_id": "log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.6.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "product": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "product_id": "log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.6.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "product": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "product_id": "log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.6.el6_10?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.6.el6_10.i686", "product": { "name": "log4j-0:1.2.14-6.6.el6_10.i686", "product_id": "log4j-0:1.2.14-6.6.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.6.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "product": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "product_id": "log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.6.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "product": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "product_id": "log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.6.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.6.el6_10.i686", "product": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.i686", "product_id": "log4j-manual-0:1.2.14-6.6.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.6.el6_10?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.6.el6_10.s390x", "product": { "name": "log4j-0:1.2.14-6.6.el6_10.s390x", "product_id": "log4j-0:1.2.14-6.6.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.6.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "product": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "product_id": "log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.6.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "product": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "product_id": "log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.6.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.6.el6_10.s390x", "product": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.s390x", "product_id": "log4j-manual-0:1.2.14-6.6.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.6.el6_10?arch=s390x" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.src as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.src", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.src as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.src", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.6.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.6.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.6.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_3.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src" }, "product_reference": "log4j-0:1.2.17-17.el7_3.src", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_3.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src" }, "product_reference": "log4j-0:1.2.17-17.el7_3.src", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-18.el7_4.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src" }, "product_reference": "log4j-0:1.2.17-18.el7_4.src", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-18.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-18.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T11:07:00+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0442" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T11:07:00+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0442" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T11:07:00+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0442" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.6.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.6.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-17.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-17.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-18.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-18.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-18.el7_4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0294
Vulnerability from csaf_redhat
Published
2022-01-26 14:48
Modified
2024-11-15 14:40
Summary
Red Hat Security Advisory: parfait:0.5 security update
Notes
Topic
An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0294", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0294.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-15T14:40:49+00:00", "generator": { "date": "2024-11-15T14:40:49+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0294", "initial_release_date": "2022-01-26T14:48:57+00:00", "revision_history": [ { "date": "2022-01-26T14:48:57+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:48:57+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:40:49+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product": { "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_e4s:8.1::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8010020220124232535:d5701770", "product": { "name": "parfait:0.5:8010020220124232535:d5701770", "product_id": "parfait:0.5:8010020220124232535:d5701770", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product_id": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, "product_reference": "parfait:0.5:8010020220124232535:d5701770", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0553
Vulnerability from csaf_redhat
Published
2022-02-15 18:54
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R20 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0553", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0553.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R20 security and bug fix update", "tracking": { "current_release_date": "2024-11-15T14:41:58+00:00", "generator": { "date": "2024-11-15T14:41:58+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0553", "initial_release_date": "2022-02-15T18:54:23+00:00", "revision_history": [ { "date": "2022-02-15T18:54:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-15T18:54:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:58+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse/AMQ 6.3.20", "product": { "name": "Red Hat Fuse/AMQ 6.3.20", "product_id": "Red Hat Fuse/AMQ 6.3.20", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:6.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0467
Vulnerability from csaf_redhat
Published
2022-02-08 12:52
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 1.6.7 release and security update
Notes
Topic
Red Hat AMQ Streams 1.6.7 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 1.6.7 serves as a replacement for Red Hat AMQ Streams 1.6.6, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)
* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat AMQ Streams 1.6.7 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 1.6.7 serves as a replacement for Red Hat AMQ Streams 1.6.6, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0467", "url": "https://access.redhat.com/errata/RHSA-2022:0467" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=1.6.7", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=1.6.7" }, { "category": "external", "summary": "2034388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0467.json" } ], "title": "Red Hat Security Advisory: Red Hat AMQ Streams 1.6.7 release and security update", "tracking": { "current_release_date": "2024-11-15T14:42:11+00:00", "generator": { "date": "2024-11-15T14:42:11+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0467", "initial_release_date": "2022-02-08T12:52:13+00:00", "revision_history": [ { "date": "2022-02-08T12:52:13+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-08T12:52:13+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:11+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat AMQ Streams 1.6.7", "product": { "name": "Red Hat AMQ Streams 1.6.7", "product_id": "Red Hat AMQ Streams 1.6.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_streams:1" } } } ], "category": "product_family", "name": "Red Hat JBoss AMQ" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Jordy Versmissen" ] } ], "cve": "CVE-2021-4178", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2021-12-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034388" } ], "notes": [ { "category": "description", "text": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.", "title": "Vulnerability description" }, { "category": "summary", "text": "kubernetes-client: Insecure deserialization in unmarshalYaml method", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CodeReady Studio 12 is not affected by this flaw because it does not ship a vulnerable version of kubernetes-client; the version that it ships does not use SnakeYAML.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.6.7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4178" }, { "category": "external", "summary": "RHBZ#2034388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4178", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4178" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178" } ], "release_date": "2022-01-05T15:05:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T12:52:13+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0467" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.6.7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "kubernetes-client: Insecure deserialization in unmarshalYaml method" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.6.7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T12:52:13+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0467" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.6.7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.6.7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T12:52:13+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0467" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.6.7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.6.7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T12:52:13+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0467" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.6.7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.6.7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T12:52:13+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0467" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat AMQ Streams 1.6.7" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.6.7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0439
Vulnerability from csaf_redhat
Published
2022-02-03 19:09
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: rh-maven36-log4j12 security update
Notes
Topic
An update for rh-maven36-log4j12 is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Log4j is a tool to help the programmer output log statements to a variety of output targets.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for rh-maven36-log4j12 is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0439", "url": "https://access.redhat.com/errata/RHSA-2022:0439" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0439.json" } ], "title": "Red Hat Security Advisory: rh-maven36-log4j12 security update", "tracking": { "current_release_date": "2024-11-15T14:42:13+00:00", "generator": { "date": "2024-11-15T14:42:13+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0439", "initial_release_date": "2022-02-03T19:09:28+00:00", "revision_history": [ { "date": "2022-02-03T19:09:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T19:09:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:13+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } }, { "category": "product_name", "name": "Red Hat Software Collections for RHEL(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } } ], "category": "product_family", "name": "Red Hat Software Collections" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "product_id": "rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.4.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "product_id": "rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.4.el7?arch=noarch" } } }, { "category": "product_version", "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "product": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "product_id": "rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12-javadoc@1.2.17-23.4.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.4.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T19:09:28+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0439" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T19:09:28+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0439" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T19:09:28+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0439" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.4.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.4.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_5458
Vulnerability from csaf_redhat
Published
2022-06-30 18:34
Modified
2024-11-15 14:53
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)
* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important.\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5458", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5458.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-11-15T14:53:47+00:00", "generator": { "date": "2024-11-15T14:53:47+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:5458", "initial_release_date": "2022-06-30T18:34:28+00:00", "revision_history": [ { "date": "2022-06-30T18:34:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T18:34:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:53:47+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4.24 release", "product": { "name": "EAP 6.4.24 release", "product_id": "EAP 6.4.24 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0290
Vulnerability from csaf_redhat
Published
2022-01-26 14:51
Modified
2024-11-15 14:40
Summary
Red Hat Security Advisory: parfait:0.5 security update
Notes
Topic
An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0290", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0290.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-15T14:40:41+00:00", "generator": { "date": "2024-11-15T14:40:41+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0290", "initial_release_date": "2022-01-26T14:51:27+00:00", "revision_history": [ { "date": "2022-01-26T14:51:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:51:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:40:41+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8050020220124063900:6b489b78", "product": { "name": "parfait:0.5:8050020220124063900:6b489b78", "product_id": "parfait:0.5:8050020220124063900:6b489b78", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product_id": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, "product_reference": "parfait:0.5:8050020220124063900:6b489b78", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2024_5856
Vulnerability from csaf_redhat
Published
2024-08-26 11:05
Modified
2024-11-15 15:10
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* undertow: EAP: field-name is not parsed in accordance to RFC7230 [eap-7.1.z] (CVE-2020-1710)
* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [eap-7.1.z] (CVE-2019-10086)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [eap-7.1.z] (CVE-2022-23302)
* jackson-databind: default typing mishandling leading to remote code execution [eap-7.1.z] (CVE-2019-14379)
* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9514)
* undertow: AJP File Read/Inclusion Vulnerability [eap-7.1.z] (CVE-2020-1745)
* undertow: HTTP/2: large amount of data requests leads to denial of service [eap-7.1.z] (CVE-2019-9511)
* undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass [eap-7.1.z] (CVE-2020-1757)
* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS [eap-7.1.z] (CVE-2019-14888)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.1.z] (CVE-2022-23307)
* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [eap-7.1.z] (CVE-2019-20445)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.1.z] (CVE-2021-4104)
* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9515)
* infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [eap-7.1.z] (CVE-2019-10174)
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.1.z] (CVE-2022-23305)
* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [eap-7.1.z] (CVE-2019-12384)
* wildfly-security-manager: security manager authorization bypass (CVE-2019-14843)
* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)
* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)
* netty: HTTP request smuggling (CVE-2019-20444)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: EAP: field-name is not parsed in accordance to RFC7230 [eap-7.1.z] (CVE-2020-1710)\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [eap-7.1.z] (CVE-2019-10086)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [eap-7.1.z] (CVE-2022-23302)\n\n* jackson-databind: default typing mishandling leading to remote code execution [eap-7.1.z] (CVE-2019-14379)\n\n* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9514)\n\n* undertow: AJP File Read/Inclusion Vulnerability [eap-7.1.z] (CVE-2020-1745)\n\n* undertow: HTTP/2: large amount of data requests leads to denial of service [eap-7.1.z] (CVE-2019-9511)\n\n* undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass [eap-7.1.z] (CVE-2020-1757)\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS [eap-7.1.z] (CVE-2019-14888)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.1.z] (CVE-2022-23307)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [eap-7.1.z] (CVE-2019-20445)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.1.z] (CVE-2021-4104)\n\n* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9515)\n\n* infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [eap-7.1.z] (CVE-2019-10174)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.1.z] (CVE-2022-23305)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [eap-7.1.z] (CVE-2019-12384)\n\n* wildfly-security-manager: security manager authorization bypass (CVE-2019-14843)\n\n* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:5856", "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index" }, { "category": "external", "summary": "1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-24826", "url": "https://issues.redhat.com/browse/JBEAP-24826" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_5856.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update", "tracking": { "current_release_date": "2024-11-15T15:10:26+00:00", "generator": { "date": "2024-11-15T15:10:26+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2024:5856", "initial_release_date": "2024-08-26T11:05:47+00:00", "revision_history": [ { "date": "2024-08-26T11:05:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-08-26T11:05:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T15:10:26+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty-all@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-9511", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1741860" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: large amount of data requests leads to denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9511" }, { "category": "external", "summary": "RHBZ#1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9511", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9511" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://kb.cert.org/vuls/id/605641/", "url": "https://kb.cert.org/vuls/id/605641/" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", "url": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/" } ], "release_date": "2019-08-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i \u0027s/http2 //g\u0027 /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: large amount of data requests leads to denial of service" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9512", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735645" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using PING frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9512" }, { "category": "external", "summary": "RHBZ#1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9512", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9512" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using PING frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9514", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735744" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using HEADERS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9514" }, { "category": "external", "summary": "RHBZ#1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9514", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9514" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using HEADERS frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9515", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735745" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9515" }, { "category": "external", "summary": "RHBZ#1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9515", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth" }, { "cve": "CVE-2019-10086", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-10-31T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1767483" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10086" }, { "category": "external", "summary": "RHBZ#1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10086", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt", "url": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt" } ], "release_date": "2019-08-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no currently known mitigation for this flaw.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default" }, { "cve": "CVE-2019-10174", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2018-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1703469" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", "title": "Vulnerability description" }, { "category": "summary", "text": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10174" }, { "category": "external", "summary": "RHBZ#1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10174", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10174" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174" } ], "release_date": "2019-11-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods" }, { "cve": "CVE-2019-12384", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-06-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1725807" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack\u0027s OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.\n\nThis vulnerability relies on logback-core (ch.qos.logback.core) being present in the application\u0027s ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.\n\nThis issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-12384" }, { "category": "external", "summary": "RHBZ#1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12384", "url": "https://www.cve.org/CVERecord?id=CVE-2019-12384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" } ], "release_date": "2019-06-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution" }, { "cve": "CVE-2019-14379", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-07-29T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1737517" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: default typing mishandling leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nSimilarly, Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14379" }, { "category": "external", "summary": "RHBZ#1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14379", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14379" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" } ], "release_date": "2019-07-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: default typing mishandling leading to remote code execution" }, { "cve": "CVE-2019-14843", "cwe": { "id": "CWE-592", "name": "CWE-592" }, "discovery_date": "2019-09-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752980" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-security-manager: security manager authorization bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14843" }, { "category": "external", "summary": "RHBZ#1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14843", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14843" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843" } ], "release_date": "2019-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "This flaw only affects the Security Manager running under JDK 11 or 8. To mitigate exposure to this flaw, do not run under those JDK versions.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "wildfly-security-manager: security manager authorization bypass" }, { "acknowledgments": [ { "names": [ "Henning Baldersheim", "H\u00e5vard Pettersen" ], "organization": "Verizon Media" } ], "cve": "CVE-2019-14888", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1772464" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the Undertow HTTP server listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14888" }, { "category": "external", "summary": "RHBZ#1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14888", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14888" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888" } ], "release_date": "2020-01-20T12:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Enable HTTP2 (enable-http2=\"true\") in the undertow\u0027s HTTPS settings.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS" }, { "cve": "CVE-2019-16869", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2019-09-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1758619" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that this vulnerability does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-16869" }, { "category": "external", "summary": "RHBZ#1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16869", "url": "https://www.cve.org/CVERecord?id=CVE-2019-16869" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869" } ], "release_date": "2019-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers" }, { "cve": "CVE-2019-17531", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2019-11-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1775293" } ], "notes": [ { "category": "description", "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*", "title": "Vulnerability summary" }, { "category": "other", "text": "Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17531" }, { "category": "external", "summary": "RHBZ#1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17531", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" } ], "release_date": "2019-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*" }, { "cve": "CVE-2019-20444", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798524" } ], "notes": [ { "category": "description", "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20444" }, { "category": "external", "summary": "RHBZ#1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" }, { "category": "external", "summary": "https://github.com/elastic/elasticsearch/issues/49396", "url": "https://github.com/elastic/elasticsearch/issues/49396" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling" }, { "cve": "CVE-2019-20445", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798509" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20445" }, { "category": "external", "summary": "RHBZ#1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header" }, { "cve": "CVE-2020-1710", "cwe": { "id": "CWE-113", "name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1793970" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in JBoss EAP, where it does not process the header field-name in accordance with RFC7230. Whitespace between the header field-name and colon is processed, resulting in an HTTP response code of 200 instead of a bad request of 400.", "title": "Vulnerability description" }, { "category": "summary", "text": "EAP: field-name is not parsed in accordance to RFC7230", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1710" }, { "category": "external", "summary": "RHBZ#1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1710", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1710" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710" } ], "release_date": "2020-08-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is currently no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "EAP: field-name is not parsed in accordance to RFC7230" }, { "acknowledgments": [ { "names": [ "Steve Zapantis", "Robert Roberson", "taktakdb4g" ] } ], "cve": "CVE-2020-1745", "cwe": { "id": "CWE-285", "name": "Improper Authorization" }, "discovery_date": "2020-02-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1807305" } ], "notes": [ { "category": "description", "text": "A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: AJP File Read/Inclusion Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1938", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1745" }, { "category": "external", "summary": "RHBZ#1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1745", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1745" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745" }, { "category": "external", "summary": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/", "url": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/" }, { "category": "external", "summary": "https://www.cnvd.org.cn/webinfo/show/5415", "url": "https://www.cnvd.org.cn/webinfo/show/5415" }, { "category": "external", "summary": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487", "url": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487" } ], "release_date": "2020-02-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: AJP File Read/Inclusion Vulnerability" }, { "acknowledgments": [ { "names": [ "Fedorov Oleksii", "Keitaro Yamazaki", "Shiga Ryota" ], "organization": "LINE Corporation" } ], "cve": "CVE-2020-1757", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-09-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752770" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1757" }, { "category": "external", "summary": "RHBZ#1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1757", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1757" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757" } ], "release_date": "2018-12-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting \"alwaysUseFullPath\".", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0289
Vulnerability from csaf_redhat
Published
2022-01-26 14:57
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: parfait:0.5 security update
Notes
Topic
An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0289", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0289.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-15T14:41:05+00:00", "generator": { "date": "2024-11-15T14:41:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0289", "initial_release_date": "2022-01-26T14:57:42+00:00", "revision_history": [ { "date": "2022-01-26T14:57:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:57:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8040020220124230039:d304d9ed", "product": { "name": "parfait:0.5:8040020220124230039:d304d9ed", "product_id": "parfait:0.5:8040020220124230039:d304d9ed", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product_id": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, "product_reference": "parfait:0.5:8040020220124230039:d304d9ed", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0507
Vulnerability from csaf_redhat
Published
2022-02-10 17:26
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update
Notes
Topic
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.
This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2 (Service Pack 2) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and mitigates the impact of the log4j CVE's referenced in this document by removing the affected classes from the patch.
Note: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)
Security Fix(es):
* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2 (Service Pack 2) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0507", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0507.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update", "tracking": { "current_release_date": "2024-11-15T14:42:35+00:00", "generator": { "date": "2024-11-15T14:42:35+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0507", "initial_release_date": "2022-02-10T17:26:37+00:00", "revision_history": [ { "date": "2022-02-10T17:26:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-10T17:26:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:35+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0475
Vulnerability from csaf_redhat
Published
2022-02-08 17:00
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]
Notes
Topic
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The ovirt-engine package provides the manager for virtualization environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
Bug Fix(es):
* With this release, the ovirt-engine-extension-logger-log4j package has been removed. It is replaced by an internal ovirt-engine implementation.
When upgrading from earlier Red Hat Virtualization versions to RHV 4.4.10, the ovirt-engine-extension-logger-log4j package is uninstalled if it is present. If you used the ovirt-engine-extension-logger-log4j in earlier Red Hat Virtualization versions, you must manually remove the ovirt-engine-extension-logger-log4j configuration files and configure the new feature for sending log records to a remote syslog service, as outlined in the Administration Guide.
After a successful upgrade to RHV 4.4.10, you can uninstall log4j12 without breaking the Red Hat Virtualization setup by running the following command: `$ dnf remove log4j12`. (BZ#2044277)
* Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot. (BZ#2013430)
* Because installing the self-hosted engine with Cockpit is deprecated, the 'Installing Red Hat Virtualization as a self-hosted engine using the Cockpit web interface' link
on the Red Hat Virtualization Administration Portal login page has been replaced with the "Installing Red Hat Virtualization as a self-hosted engine using the command line" link. (BZ#1992476)
* In this release, Red Hat Virtualization 4.4.10 requires snmp4j version 3.6.4 or later, which no longer depends on the log4j library. (BZ#2044257)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The ovirt-engine package provides the manager for virtualization environments.\nThis manager enables admins to define hosts and networks, as well as to add\nstorage, create VMs and manage user permissions.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\nBug Fix(es):\n\n* With this release, the ovirt-engine-extension-logger-log4j package has been removed. It is replaced by an internal ovirt-engine implementation. \n\nWhen upgrading from earlier Red Hat Virtualization versions to RHV 4.4.10, the ovirt-engine-extension-logger-log4j package is uninstalled if it is present. If you used the ovirt-engine-extension-logger-log4j in earlier Red Hat Virtualization versions, you must manually remove the ovirt-engine-extension-logger-log4j configuration files and configure the new feature for sending log records to a remote syslog service, as outlined in the Administration Guide.\n\nAfter a successful upgrade to RHV 4.4.10, you can uninstall log4j12 without breaking the Red Hat Virtualization setup by running the following command: `$ dnf remove log4j12`. (BZ#2044277)\n\n* Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot. (BZ#2013430)\n\n* Because installing the self-hosted engine with Cockpit is deprecated, the \u0027Installing Red Hat Virtualization as a self-hosted engine using the Cockpit web interface\u0027 link\non the Red Hat Virtualization Administration Portal login page has been replaced with the \"Installing Red Hat Virtualization as a self-hosted engine using the command line\" link. (BZ#1992476)\n\n* In this release, Red Hat Virtualization 4.4.10 requires snmp4j version 3.6.4 or later, which no longer depends on the log4j library. (BZ#2044257)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0475", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1992476", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992476" }, { "category": "external", "summary": "2013430", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013430" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044257" }, { "category": "external", "summary": "2044277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044277" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0475.json" } ], "title": "Red Hat Security Advisory: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]", "tracking": { "current_release_date": "2024-11-15T14:42:20+00:00", "generator": { "date": "2024-11-15T14:42:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0475", "initial_release_date": "2022-02-08T17:00:26+00:00", "revision_history": [ { "date": "2022-02-08T17:00:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-08T17:00:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j-javadoc@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.10.6-0.1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0497
Vulnerability from csaf_redhat
Published
2022-02-09 13:11
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update
Notes
Topic
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.
This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 (Service Pack 1) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE's referenced in this document by removing the affected classes from the patch.
Note: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)
Security Fix(es):
* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 (Service Pack 1) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0497", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0497.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update", "tracking": { "current_release_date": "2024-11-15T14:42:27+00:00", "generator": { "date": "2024-11-15T14:42:27+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0497", "initial_release_date": "2022-02-09T13:11:07+00:00", "revision_history": [ { "date": "2022-02-09T13:11:07+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-09T13:11:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:27+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0430
Vulnerability from csaf_redhat
Published
2022-02-03 14:04
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat Data Grid 7.3.9 security update
Notes
Topic
An update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3].
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for Red Hat Data Grid is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3].\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0430", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches", "url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0430.json" } ], "title": "Red Hat Security Advisory: Red Hat Data Grid 7.3.9 security update", "tracking": { "current_release_date": "2024-11-15T14:41:33+00:00", "generator": { "date": "2024-11-15T14:41:33+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0430", "initial_release_date": "2022-02-03T14:04:37+00:00", "revision_history": [ { "date": "2022-02-03T14:04:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T14:04:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:33+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Data Grid 7.3.9", "product": { "name": "Red Hat Data Grid 7.3.9", "product_id": "Red Hat Data Grid 7.3.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:7.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Grid" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0527
Vulnerability from csaf_redhat
Published
2022-02-14 17:30
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 security update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows.
Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)
* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)
* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)
* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0527", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0527.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 security update", "tracking": { "current_release_date": "2024-11-15T14:41:50+00:00", "generator": { "date": "2024-11-15T14:41:50+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0527", "initial_release_date": "2022-02-14T17:30:24+00:00", "revision_history": [ { "date": "2022-02-14T17:30:24+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:30:24+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:50+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1", "product": { "name": "Red Hat JBoss Web Server 3.1", "product_id": "Red Hat JBoss Web Server 3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_5460
Vulnerability from csaf_redhat
Published
2022-06-30 19:14
Modified
2024-11-15 14:53
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)
* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5460", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873619" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5460.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-11-15T14:53:39+00:00", "generator": { "date": "2024-11-15T14:53:39+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:5460", "initial_release_date": "2022-06-30T19:14:26+00:00", "revision_history": [ { "date": "2022-06-30T19:14:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:14:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:53:39+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0438
Vulnerability from csaf_redhat
Published
2022-02-03 18:51
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0438", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0438.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2024-11-15T14:41:50+00:00", "generator": { "date": "2024-11-15T14:41:50+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0438", "initial_release_date": "2022-02-03T18:51:47+00:00", "revision_history": [ { "date": "2022-02-03T18:51:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:51:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:50+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } }, { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0661
Vulnerability from csaf_redhat
Published
2022-02-23 14:06
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat Fuse 7.10.1 release and security update
Notes
Topic
A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.10.1 serves as a replacement for Red Hat Fuse 7.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This release of Red Hat Fuse 7.10.1 serves as a replacement for Red Hat Fuse 7.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0661", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0661.json" } ], "title": "Red Hat Security Advisory: Red Hat Fuse 7.10.1 release and security update", "tracking": { "current_release_date": "2024-11-15T14:42:41+00:00", "generator": { "date": "2024-11-15T14:42:41+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0661", "initial_release_date": "2022-02-23T14:06:23+00:00", "revision_history": [ { "date": "2022-02-23T14:06:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-23T14:06:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:41+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse 7.10.1", "product": { "name": "Red Hat Fuse 7.10.1", "product_id": "Red Hat Fuse 7.10.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_1296
Vulnerability from csaf_redhat
Published
2022-04-11 12:59
Modified
2024-11-15 14:47
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)
* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)
* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1296", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22899", "url": "https://issues.redhat.com/browse/JBEAP-22899" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1296.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-15T14:47:17+00:00", "generator": { "date": "2024-11-15T14:47:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1296", "initial_release_date": "2022-04-11T12:59:41+00:00", "revision_history": [ { "date": "2022-04-11T12:59:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T12:59:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:47:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0449
Vulnerability from csaf_redhat
Published
2022-02-07 13:48
Modified
2024-11-15 14:41
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update
Notes
Topic
A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.5.1 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0449", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2054", "url": "https://issues.redhat.com/browse/CIAM-2054" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0449.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update", "tracking": { "current_release_date": "2024-11-15T14:41:56+00:00", "generator": { "date": "2024-11-15T14:41:56+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0449", "initial_release_date": "2022-02-07T13:48:02+00:00", "revision_history": [ { "date": "2022-02-07T13:48:02+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:48:02+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:41:56+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHSSO 7.5.1", "product": { "name": "RHSSO 7.5.1", "product_id": "RHSSO 7.5.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "acknowledgments": [ { "names": [ "Christian D\u00f6lling" ] } ], "cve": "CVE-2022-1466", "cwe": { "id": "CWE-1220", "name": "Insufficient Granularity of Access Control" }, "discovery_date": "2022-02-03T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2050228" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Improper authorization for master realm", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1466" }, { "category": "external", "summary": "RHBZ#2050228", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1466", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1466" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Improper authorization for master realm" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0435
Vulnerability from csaf_redhat
Published
2022-02-03 18:23
Modified
2024-11-15 14:42
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.
Security Fix(es):
* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0435", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0435.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2024-11-15T14:42:05+00:00", "generator": { "date": "2024-11-15T14:42:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0435", "initial_release_date": "2022-02-03T18:23:56+00:00", "revision_history": [ { "date": "2022-02-03T18:23:56+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:23:56+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:42:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4 log4j async", "product": { "name": "EAP 7.4 log4j async", "product_id": "EAP 7.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
wid-sec-w-2024-0064
Vulnerability from csaf_certbund
Published
2024-01-10 23:00
Modified
2024-01-10 23:00
Summary
Juniper Produkte: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JUNOS ist das "Juniper Network Operating System", das in Juniper Appliances verwendet wird.
SRX Series Services Gateways ist ein Next-Generation Anti-Threat Firewall von Juniper.
Bei den Switches der Juniper EX-Serie handelt es sich um Access- und Aggregations-/Core-Layer-Switches.
Die Switches der QFX-Serie von Juniper sichern und automatisieren Netzwerke in Rechenzentren.
Die Juniper MX-Serie ist eine Produktfamilie von Routern.
Angriff
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter, lokaler oder physischer Angreifer kann mehrere Schwachstellen in Juniper JUNOS, Juniper JUNOS Evolved, Juniper SRX Series, Juniper EX Series, Juniper QFX Series, Juniper ACX Series, Juniper PTX Series und Juniper MX Series ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand herbeizuführen und seine Berechtigungen zu erweitern.
Betroffene Betriebssysteme
- BIOS/Firmware
- Appliance
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "JUNOS ist das \"Juniper Network Operating System\", das in Juniper Appliances verwendet wird.\r\nSRX Series Services Gateways ist ein Next-Generation Anti-Threat Firewall von Juniper.\r\nBei den Switches der Juniper EX-Serie handelt es sich um Access- und Aggregations-/Core-Layer-Switches.\r\nDie Switches der QFX-Serie von Juniper sichern und automatisieren Netzwerke in Rechenzentren. \r\nDie Juniper MX-Serie ist eine Produktfamilie von Routern.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter, lokaler oder physischer Angreifer kann mehrere Schwachstellen in Juniper JUNOS, Juniper JUNOS Evolved, Juniper SRX Series, Juniper EX Series, Juniper QFX Series, Juniper ACX Series, Juniper PTX Series und Juniper MX Series ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand herbeizuf\u00fchren und seine Berechtigungen zu erweitern.", "title": "Angriff" }, { "category": "general", "text": "- BIOS/Firmware\n- Appliance", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0064 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0064.json" }, { "category": "self", "summary": "WID-SEC-2024-0064 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0064" }, { "category": "external", "summary": "Juniper Security Advisory JSA11272 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA11272" }, { "category": "external", "summary": "Juniper Security Advisory JSA75233 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75233" }, { "category": "external", "summary": "Juniper Security Advisory JSA75721 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75721" }, { "category": "external", "summary": "Juniper Security Advisory JSA75723 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75723" }, { "category": "external", "summary": "Juniper Security Advisory JSA75725 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75725" }, { "category": "external", "summary": "Juniper Security Advisory JSA75727 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75727" }, { "category": "external", "summary": "Juniper Security Advisory JSA75729 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75729" }, { "category": "external", "summary": "Juniper Security Advisory JSA75730 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75730" }, { "category": "external", "summary": "Juniper Security Advisory JSA75733 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75733" }, { "category": "external", "summary": "Juniper Security Advisory JSA75734 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75734" }, { "category": "external", "summary": "Juniper Security Advisory JSA75735 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75735" }, { "category": "external", "summary": "Juniper Security Advisory JSA75736 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75736" }, { "category": "external", "summary": "Juniper Security Advisory JSA75737 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75737" }, { "category": "external", "summary": "Juniper Security Advisory JSA75738 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75738" }, { "category": "external", "summary": "Juniper Security Advisory JSA75740 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75740" }, { "category": "external", "summary": "Juniper Security Advisory JSA75741 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75741" }, { "category": "external", "summary": "Juniper Security Advisory JSA75742 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75742" }, { "category": "external", "summary": "Juniper Security Advisory JSA75743 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75743" }, { "category": "external", "summary": "Juniper Security Advisory JSA75744 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75744" }, { "category": "external", "summary": "Juniper Security Advisory JSA75745 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75745" }, { "category": "external", "summary": "Juniper Security Advisory JSA75747 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75747" }, { "category": "external", "summary": "Juniper Security Advisory JSA75748 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75748" }, { "category": "external", "summary": "Juniper Security Advisory JSA75752 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75752" }, { "category": "external", "summary": "Juniper Security Advisory JSA75753 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75753" }, { "category": "external", "summary": "Juniper Security Advisory JSA75754 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75754" }, { "category": "external", "summary": "Juniper Security Advisory JSA75755 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75755" }, { "category": "external", "summary": "Juniper Security Advisory JSA75757 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75757" }, { "category": "external", "summary": "Juniper Security Advisory JSA75758 vom 2024-01-10", "url": "https://supportportal.juniper.net/JSA75758" } ], "source_lang": "en-US", "title": "Juniper Produkte: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-01-10T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:56:09.941+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0064", "initial_release_date": "2024-01-10T23:00:00.000+00:00", "revision_history": [ { "date": "2024-01-10T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Juniper EX Series", "product": { "name": "Juniper EX Series", "product_id": "T019811", "product_identification_helper": { "cpe": "cpe:/h:juniper:ex:-" } } }, { "category": "product_name", "name": "Juniper EX Series 4600", "product": { "name": "Juniper EX Series 4600", "product_id": "T021598", "product_identification_helper": { "cpe": "cpe:/h:juniper:ex:ex4600" } } }, { "category": "product_name", "name": "Juniper EX Series 4100", "product": { "name": "Juniper EX Series 4100", "product_id": "T030475", "product_identification_helper": { "cpe": "cpe:/h:juniper:ex:4100" } } }, { "category": "product_name", "name": "Juniper EX Series 4400", "product": { "name": "Juniper EX Series 4400", "product_id": "T030476", "product_identification_helper": { "cpe": "cpe:/h:juniper:ex:4400" } } }, { "category": "product_name", "name": "Juniper EX Series EX9200", "product": { "name": "Juniper EX Series EX9200", "product_id": "T031997", "product_identification_helper": { "cpe": "cpe:/h:juniper:ex:ex9200" } } } ], "category": "product_name", "name": "EX Series" }, { "branches": [ { "category": "product_name", "name": "Juniper JUNOS Evolved", "product": { "name": "Juniper JUNOS Evolved", "product_id": "T018886", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:evolved" } } }, { "category": "product_name", "name": "Juniper JUNOS PTX Series", "product": { "name": "Juniper JUNOS PTX Series", "product_id": "T023853", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:ptx_series" } } }, { "category": "product_name", "name": "Juniper JUNOS", "product": { "name": "Juniper JUNOS", "product_id": "T030471", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:-" } } }, { "category": "product_name", "name": "Juniper JUNOS ACX7024", "product": { "name": "Juniper JUNOS ACX7024", "product_id": "T031994", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:acx7024" } } }, { "category": "product_name", "name": "Juniper JUNOS ACX7100-32C", "product": { "name": "Juniper JUNOS ACX7100-32C", "product_id": "T031995", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:acx7100-32c" } } }, { "category": "product_name", "name": "Juniper JUNOS ACX7100-48L", "product": { "name": "Juniper JUNOS ACX7100-48L", "product_id": "T031996", "product_identification_helper": { "cpe": "cpe:/o:juniper:junos:acx7100-48l" } } } ], "category": "product_name", "name": "JUNOS" }, { "category": "product_name", "name": "Juniper MX Series", "product": { "name": "Juniper MX Series", "product_id": "918766", "product_identification_helper": { "cpe": "cpe:/h:juniper:mx:-" } } }, { "category": "product_name", "name": "Juniper QFX Series 5000", "product": { "name": "Juniper QFX Series 5000", "product_id": "T021597", "product_identification_helper": { "cpe": "cpe:/h:juniper:qfx:qfx5000" } } }, { "category": "product_name", "name": "Juniper SRX Series", "product": { "name": "Juniper SRX Series", "product_id": "T021593", "product_identification_helper": { "cpe": "cpe:/h:juniper:srx_service_gateways:-" } } } ], "category": "vendor", "name": "Juniper" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-2964", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-2964" }, { "cve": "CVE-2022-2873", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-2873" }, { "cve": "CVE-2022-2795", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-2795" }, { "cve": "CVE-2022-2663", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-2663" }, { "cve": "CVE-2022-25265", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-25265" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-23307" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-22942", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-22942" }, { "cve": "CVE-2022-2196", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-2196" }, { "cve": "CVE-2022-21699", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-21699" }, { "cve": "CVE-2022-20141", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-20141" }, { "cve": "CVE-2022-1789", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-1789" }, { "cve": "CVE-2022-1679", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-1679" }, { "cve": "CVE-2022-1462", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-1462" }, { "cve": "CVE-2022-0934", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-0934" }, { "cve": "CVE-2022-0330", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-0330" }, { "cve": "CVE-2021-44832", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-44832" }, { "cve": "CVE-2021-44790", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-44790" }, { "cve": "CVE-2021-44228", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-44228" }, { "cve": "CVE-2021-4155", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-4155" }, { "cve": "CVE-2021-39275", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-39275" }, { "cve": "CVE-2021-3752", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-3752" }, { "cve": "CVE-2021-3621", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-3621" }, { "cve": "CVE-2021-3573", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-3573" }, { "cve": "CVE-2021-3564", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-3564" }, { "cve": "CVE-2021-34798", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-34798" }, { "cve": "CVE-2021-33656", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-33656" }, { "cve": "CVE-2021-33655", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-33655" }, { "cve": "CVE-2021-26691", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-26691" }, { "cve": "CVE-2021-26341", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-26341" }, { "cve": "CVE-2021-25220", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-25220" }, { "cve": "CVE-2021-0920", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2021-0920" }, { "cve": "CVE-2020-9493", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2020-9493" }, { "cve": "CVE-2020-12321", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2020-12321" }, { "cve": "CVE-2020-0466", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2020-0466" }, { "cve": "CVE-2020-0465", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2020-0465" }, { "cve": "CVE-2019-17571", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2019-17571" }, { "cve": "CVE-2016-2183", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2016-2183" }, { "cve": "CVE-2024-21617", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21617" }, { "cve": "CVE-2024-21616", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21616" }, { "cve": "CVE-2024-21614", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21614" }, { "cve": "CVE-2024-21613", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21613" }, { "cve": "CVE-2024-21612", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21612" }, { "cve": "CVE-2024-21611", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21611" }, { "cve": "CVE-2024-21607", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21607" }, { "cve": "CVE-2024-21606", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21606" }, { "cve": "CVE-2024-21604", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21604" }, { "cve": "CVE-2024-21603", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21603" }, { "cve": "CVE-2024-21602", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21602" }, { "cve": "CVE-2024-21601", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21601" }, { "cve": "CVE-2024-21600", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21600" }, { "cve": "CVE-2024-21599", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21599" }, { "cve": "CVE-2024-21597", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21597" }, { "cve": "CVE-2024-21596", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21596" }, { "cve": "CVE-2024-21595", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21595" }, { "cve": "CVE-2024-21594", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21594" }, { "cve": "CVE-2024-21591", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21591" }, { "cve": "CVE-2024-21589", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21589" }, { "cve": "CVE-2024-21587", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21587" }, { "cve": "CVE-2024-21585", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2024-21585" }, { "cve": "CVE-2023-38802", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-38802" }, { "cve": "CVE-2023-38408", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-38408" }, { "cve": "CVE-2023-3817", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-3817" }, { "cve": "CVE-2023-36842", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-36842" }, { "cve": "CVE-2023-3446", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-3446" }, { "cve": "CVE-2023-3341", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-3341" }, { "cve": "CVE-2023-32360", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-32360" }, { "cve": "CVE-2023-32067", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-32067" }, { "cve": "CVE-2023-2828", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-2828" }, { "cve": "CVE-2023-2650", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-2650" }, { "cve": "CVE-2023-26464", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-26464" }, { "cve": "CVE-2023-24329", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-24329" }, { "cve": "CVE-2023-23920", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-23920" }, { "cve": "CVE-2023-23918", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-23918" }, { "cve": "CVE-2023-23454", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-23454" }, { "cve": "CVE-2023-22809", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-22809" }, { "cve": "CVE-2023-2235", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-2235" }, { "cve": "CVE-2023-22081", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-22081" }, { "cve": "CVE-2023-22049", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-22049" }, { "cve": "CVE-2023-22045", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-22045" }, { "cve": "CVE-2023-21968", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21968" }, { "cve": "CVE-2023-21967", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21967" }, { "cve": "CVE-2023-21954", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21954" }, { "cve": "CVE-2023-2194", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-2194" }, { "cve": "CVE-2023-21939", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21939" }, { "cve": "CVE-2023-21938", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21938" }, { "cve": "CVE-2023-21937", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21937" }, { "cve": "CVE-2023-21930", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21930" }, { "cve": "CVE-2023-21843", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21843" }, { "cve": "CVE-2023-21830", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-21830" }, { "cve": "CVE-2023-2124", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-2124" }, { "cve": "CVE-2023-20593", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-20593" }, { "cve": "CVE-2023-20569", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-20569" }, { "cve": "CVE-2023-1829", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-1829" }, { "cve": "CVE-2023-1582", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-1582" }, { "cve": "CVE-2023-1281", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-1281" }, { "cve": "CVE-2023-1195", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-1195" }, { "cve": "CVE-2023-0767", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-0767" }, { "cve": "CVE-2023-0461", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-0461" }, { "cve": "CVE-2023-0394", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-0394" }, { "cve": "CVE-2023-0386", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-0386" }, { "cve": "CVE-2023-0286", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-0286" }, { "cve": "CVE-2023-0266", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2023-0266" }, { "cve": "CVE-2022-47929", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-47929" }, { "cve": "CVE-2022-43945", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-43945" }, { "cve": "CVE-2022-4378", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-4378" }, { "cve": "CVE-2022-43750", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-43750" }, { "cve": "CVE-2022-42896", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-42896" }, { "cve": "CVE-2022-42722", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-42722" }, { "cve": "CVE-2022-42721", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-42721" }, { "cve": "CVE-2022-42720", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-42720" }, { "cve": "CVE-2022-42703", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-42703" }, { "cve": "CVE-2022-4269", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-4269" }, { "cve": "CVE-2022-4254", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-4254" }, { "cve": "CVE-2022-41974", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-41974" }, { "cve": "CVE-2022-41674", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-41674" }, { "cve": "CVE-2022-4139", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-4139" }, { "cve": "CVE-2022-4129", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-4129" }, { "cve": "CVE-2022-41222", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-41222" }, { "cve": "CVE-2022-41218", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-41218" }, { "cve": "CVE-2022-39189", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-39189" }, { "cve": "CVE-2022-39188", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-39188" }, { "cve": "CVE-2022-38023", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-38023" }, { "cve": "CVE-2022-37434", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-37434" }, { "cve": "CVE-2022-3707", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3707" }, { "cve": "CVE-2022-3628", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3628" }, { "cve": "CVE-2022-3625", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3625" }, { "cve": "CVE-2022-3623", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3623" }, { "cve": "CVE-2022-3619", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3619" }, { "cve": "CVE-2022-3567", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3567" }, { "cve": "CVE-2022-3566", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3566" }, { "cve": "CVE-2022-3564", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3564" }, { "cve": "CVE-2022-3524", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3524" }, { "cve": "CVE-2022-3239", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3239" }, { "cve": "CVE-2022-30594", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-30594" }, { "cve": "CVE-2022-3028", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in verschiedenen Juniper-Produkten. Die Fehler bestehen aufgrund von unsachgem\u00e4\u00dfen Initialisierungen, nicht willk\u00fcrlichen Schreib- und Use-after-free-Fehlern, bei der \u00dcberpr\u00fcfung von \u00fcberm\u00e4\u00dfig langen DH-Schl\u00fcsseln, unsachgem\u00e4\u00dfen Pufferbeschr\u00e4nkungen, einer Speicher\u00fcberschreitung, einer unsachgem\u00e4\u00dfen Behandlung/Pr\u00fcfung von Ausnahmebedingungen, einem Out-of-bounds-Schreiben und einer unsachgem\u00e4\u00dfen Validierung der syntaktischen Korrektheit der Eingabe. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder erh\u00f6hte Privilegien." } ], "product_status": { "known_affected": [ "T030475", "T031995", "T030476", "T031994", "T031997", "T031996", "918766", "T030471", "T021598", "T018886", "T021597", "T019811", "T023853", "T021593" ] }, "release_date": "2024-01-10T23:00:00Z", "title": "CVE-2022-3028" } ] }
wid-sec-w-2022-0521
Vulnerability from csaf_certbund
Published
2022-01-18 23:00
Modified
2024-05-14 22:00
Summary
Apache log4j: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache log4j ausnutzen, um beliebigen Programmcode auszuführen oder einen SQL-Injection durchzuführen.
Betroffene Betriebssysteme
- Linux
- NetApp Appliance
- Sonstiges
- UNIX
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache log4j ausnutzen, um beliebigen Programmcode auszuf\u00fchren oder einen SQL-Injection durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- NetApp Appliance\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-0521 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0521.json" }, { "category": "self", "summary": "WID-SEC-2022-0521 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0521" }, { "category": "external", "summary": "Red Hat Bugzilla - Bug 2041949 vom 2022-01-18", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "Eintrag in der OSS-Mailinglist vom 2022-01-18", "url": "http://seclists.org/oss-sec/2022/q1/50" }, { "category": "external", "summary": "Eintrag in der OSS-Mailinglist vom 2022-01-18", "url": "http://seclists.org/oss-sec/2022/q1/51" }, { "category": "external", "summary": "Eintrag in der OSS-Mailinglist vom 2022-01-18", "url": "http://seclists.org/oss-sec/2022/q1/52" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0290 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:14881-1 vom 2022-01-26", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010085.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0291 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0289 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0294 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-0290 vom 2022-01-27", "url": "http://linux.oracle.com/errata/ELSA-2022-0290.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0214-1 vom 2022-01-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010127.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0212-1 vom 2022-01-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010124.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0226-1 vom 2022-01-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010135.html" }, { "category": "external", "summary": "Debian Security Advisory DLA-2905 vom 2022-01-31", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00033.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0437 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0430 vom 2022-02-03", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0439 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0439" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0436 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0435 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0438 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-0442 vom 2022-02-08", "url": "http://linux.oracle.com/errata/ELSA-2022-0442.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0442 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0442" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0444 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0445 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0448 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0449 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0446 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0447 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0450 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "CentOS Security Advisory CESA-2022:0442 vom 2022-02-07", "url": "https://lists.centos.org/pipermail/centos-announce/2022-February/073555.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0475 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0467 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0467" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0469 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0469" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0354-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010195.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0497 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0355-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010196.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0507 vom 2022-02-10", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0527 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0524 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0553 vom 2022-02-15", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "IBM Security Bulletin 6557248 vom 2022-02-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-are-vulnerable-to-arbitrary-code-execution-and-sql-injection-due-to-apache-log4j-cve-2022-23302-cve/" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1750 vom 2022-02-21", "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1750.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0661 vom 2022-02-23", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "Brocade Security Advisory BSA-2022-1680 vom 2022-03-03", "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1680" }, { "category": "external", "summary": "NetApp Security Advisory NTAP-20220204-0004 vom 2022-03-09", "url": "https://security.netapp.com/advisory/ntap-20220204-0004/" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-9419 vom 2022-05-23", "url": "https://linux.oracle.com/errata/ELSA-2022-9419.html" }, { "category": "external", "summary": "IBM Security Bulletin 6563857 vom 2022-03-17", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-netcool-omnibus-probe-dsl-factory-framework-is-vulnerable-to-arbitrary-code-execution-cve-2022-23302-cve-2022-23307-and-sql-injection-cve-2022-2/" }, { "category": "external", "summary": "HCL Article KB0096807 vom 2022-03-29", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0096807" }, { "category": "external", "summary": "IBM Security Bulletin 6568731 vom 2022-04-02", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-ibm-integration-bus-are-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2022-23307-cve-2022-23302-and-sql-injection-due-to-apache/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1299 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1297 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1296 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "HCL Article KB0097650 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650" }, { "category": "external", "summary": "HCL Article KB0097639 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097639" }, { "category": "external", "summary": "HCL Article KB0097787 vom 2022-04-28", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097787" }, { "category": "external", "summary": "HCL Article KB0097905 vom 2022-05-11", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097905" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5460 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5459 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5458 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "IBM Security Bulletin 6829357 vom 2022-10-15", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-may-be-affected-by-vulnerabilities-in-apache-log4j-1-x-version-2/" }, { "category": "external", "summary": "Ubuntu Security Notice USN-5998-1 vom 2023-04-06", "url": "https://ubuntu.com/security/notices/USN-5998-1" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2023-1718 vom 2023-04-06", "url": "https://alas.aws.amazon.com/ALAS-2023-1718.html" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202402-16 vom 2024-02-18", "url": "https://security.gentoo.org/glsa/202402-16" }, { "category": "external", "summary": "IBM Security Bulletin 7009621 vom 2023-07-25", "url": "https://www.ibm.com/support/pages/node/7014395" }, { "category": "external", "summary": "IBM Security Bulletin vom 2023-10-27", "url": "https://www.ibm.com/support/pages/node/7060803" }, { "category": "external", "summary": "IBM Security Bulletin 7152257 vom 2024-05-15", "url": "https://www.ibm.com/support/pages/node/7152257" } ], "source_lang": "en-US", "title": "Apache log4j: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-05-14T22:00:00.000+00:00", "generator": { "date": "2024-05-15T09:34:33.086+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-0521", "initial_release_date": "2022-01-18T23:00:00.000+00:00", "revision_history": [ { "date": "2022-01-18T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2022-01-26T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat und SUSE aufgenommen" }, { "date": "2022-01-27T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Oracle Linux und SUSE aufgenommen" }, { "date": "2022-01-30T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-31T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2022-02-03T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-07T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen" }, { "date": "2022-02-08T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von CentOS und Red Hat aufgenommen" }, { "date": "2022-02-09T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von SUSE und Red Hat aufgenommen" }, { "date": "2022-02-10T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-14T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-15T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-17T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-02-21T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2022-02-23T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-03-03T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von BROCADE aufgenommen" }, { "date": "2022-03-08T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von NetApp aufgenommen" }, { "date": "2022-03-16T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-29T22:00:00.000+00:00", "number": "19", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-03T22:00:00.000+00:00", "number": "20", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-04-11T22:00:00.000+00:00", "number": "21", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-04-24T22:00:00.000+00:00", "number": "22", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-27T22:00:00.000+00:00", "number": "23", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-05-10T22:00:00.000+00:00", "number": "24", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-05-23T22:00:00.000+00:00", "number": "25", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2022-06-30T22:00:00.000+00:00", "number": "26", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-10-16T22:00:00.000+00:00", "number": "27", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-04-05T22:00:00.000+00:00", "number": "28", "summary": "Neue Updates von Ubuntu und Amazon aufgenommen" }, { "date": "2023-07-24T22:00:00.000+00:00", "number": "29", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-10-29T23:00:00.000+00:00", "number": "30", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-02-18T23:00:00.000+00:00", "number": "31", "summary": "Neue Updates von Gentoo aufgenommen" }, { "date": "2024-05-14T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "32" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "1.x", "product": { "name": "Apache log4j 1.x", "product_id": "T010060", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:-" } } } ], "category": "product_name", "name": "log4j" } ], "category": "vendor", "name": "Apache" }, { "branches": [ { "category": "product_name", "name": "Broadcom Brocade SANnav", "product": { "name": "Broadcom Brocade SANnav", "product_id": "T022212", "product_identification_helper": { "cpe": "cpe:/a:broadcom:brocade_sannav:-" } } }, { "category": "product_name", "name": "Broadcom Brocade Switch", "product": { "name": "Broadcom Brocade Switch", "product_id": "T015844", "product_identification_helper": { "cpe": "cpe:/h:brocade:switch:-" } } } ], "category": "vendor", "name": "Broadcom" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Gentoo Linux", "product": { "name": "Gentoo Linux", "product_id": "T012167", "product_identification_helper": { "cpe": "cpe:/o:gentoo:linux:-" } } } ], "category": "vendor", "name": "Gentoo" }, { "branches": [ { "category": "product_name", "name": "HCL Commerce", "product": { "name": "HCL Commerce", "product_id": "T019293", "product_identification_helper": { "cpe": "cpe:/a:hcltechsw:commerce:-" } } } ], "category": "vendor", "name": "HCL" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "11.7", "product": { "name": "IBM InfoSphere Information Server 11.7", "product_id": "444803", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_information_server:11.7" } } } ], "category": "product_name", "name": "InfoSphere Information Server" }, { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } }, { "category": "product_version", "name": "7.5.0", "product": { "name": "IBM QRadar SIEM 7.5.0", "product_id": "T023574", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5.0" } } } ], "category": "product_name", "name": "QRadar SIEM" }, { "category": "product_name", "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product": { "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product_id": "T006523", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_access_manager_for_enterprise_single_sign_on:-" } } }, { "category": "product_name", "name": "IBM Tivoli Netcool/OMNIbus", "product": { "name": "IBM Tivoli Netcool/OMNIbus", "product_id": "T004181", "product_identification_helper": { "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-" } } } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "NetApp ActiveIQ Unified Manager", "product": { "name": "NetApp ActiveIQ Unified Manager", "product_id": "658714", "product_identification_helper": { "cpe": "cpe:/a:netapp:active_iq_unified_manager:-::~~~vmware_vsphere~~" } } } ], "category": "vendor", "name": "NetApp" }, { "branches": [ { "category": "product_name", "name": "Open Source CentOS", "product": { "name": "Open Source CentOS", "product_id": "1727", "product_identification_helper": { "cpe": "cpe:/o:centos:centos:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "In Apache log4j existieren mehrere Schwachstellen. Die Schwachstellen sind auf unzureichende Eingabevalidierungen zur\u00fcckzuf\u00fchren, welche zu einer unsicheren Deserialisierung f\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "T006523", "T015844", "T019293", "T012167", "658714", "T004914", "T022954", "T010060", "2951", "T002207", "T000126", "444803", "T023574", "T004181", "398363", "T022212", "1727" ] }, "release_date": "2022-01-18T23:00:00Z", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "In Apache log4j existieren mehrere Schwachstellen. Die Schwachstellen sind auf unzureichende Eingabevalidierungen zur\u00fcckzuf\u00fchren, welche zu einer unsicheren Deserialisierung f\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "T006523", "T015844", "T019293", "T012167", "658714", "T004914", "T022954", "T010060", "2951", "T002207", "T000126", "444803", "T023574", "T004181", "398363", "T022212", "1727" ] }, "release_date": "2022-01-18T23:00:00Z", "title": "CVE-2022-23307" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "In Apache log4j existiert eine Schwachstelle. Die Schwachstelle besteht in der Komponente \"JDBCAppender\" und ist auf die M\u00f6glichkeit einer SQL-Injection zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um eine SQL-Injection durchzuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "T006523", "T015844", "T019293", "T012167", "658714", "T004914", "T022954", "T010060", "2951", "T002207", "T000126", "444803", "T023574", "T004181", "398363", "T022212", "1727" ] }, "release_date": "2022-01-18T23:00:00Z", "title": "CVE-2022-23305" } ] }
wid-sec-w-2024-0794
Vulnerability from csaf_certbund
Published
2024-04-04 22:00
Modified
2024-04-04 22:00
Summary
Dell ECS: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Dell ECS ist ein Objektspeichersystem.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Dell ECS ist ein Objektspeichersystem.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0794 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0794.json" }, { "category": "self", "summary": "WID-SEC-2024-0794 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0794" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-141 vom 2024-04-04", "url": "https://www.dell.com/support/kbdoc/000223839/dsa-2024-=" } ], "source_lang": "en-US", "title": "Dell ECS: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-04-04T22:00:00.000+00:00", "generator": { "date": "2024-04-05T09:37:24.604+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0794", "initial_release_date": "2024-04-04T22:00:00.000+00:00", "revision_history": [ { "date": "2024-04-04T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c 3.8.1.0", "product": { "name": "Dell ECS \u003c 3.8.1.0", "product_id": "T033919", "product_identification_helper": { "cpe": "cpe:/h:dell:ecs:3.8.1.0" } } } ], "category": "product_name", "name": "ECS" } ], "category": "vendor", "name": "Dell" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-18074", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2018-18074" }, { "cve": "CVE-2020-10663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10663" }, { "cve": "CVE-2020-10672", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10672" }, { "cve": "CVE-2020-10673", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10673" }, { "cve": "CVE-2020-10735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10735" }, { "cve": "CVE-2020-10968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10968" }, { "cve": "CVE-2020-10969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10969" }, { "cve": "CVE-2020-11111", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11111" }, { "cve": "CVE-2020-11112", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11112" }, { "cve": "CVE-2020-11113", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11113" }, { "cve": "CVE-2020-11612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11612" }, { "cve": "CVE-2020-11619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11619" }, { "cve": "CVE-2020-11620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11620" }, { "cve": "CVE-2020-11979", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11979" }, { "cve": "CVE-2020-12762", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-12762" }, { "cve": "CVE-2020-12825", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-12825" }, { "cve": "CVE-2020-13956", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-13956" }, { "cve": "CVE-2020-14060", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14060" }, { "cve": "CVE-2020-14061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14061" }, { "cve": "CVE-2020-14062", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14062" }, { "cve": "CVE-2020-14195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14195" }, { "cve": "CVE-2020-15250", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-15250" }, { "cve": "CVE-2020-1945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-1945" }, { "cve": "CVE-2020-1967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-1967" }, { "cve": "CVE-2020-1971", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-1971" }, { "cve": "CVE-2020-24616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-24616" }, { "cve": "CVE-2020-24750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-24750" }, { "cve": "CVE-2020-25649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-25649" }, { "cve": "CVE-2020-25658", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-25658" }, { "cve": "CVE-2020-26116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-26116" }, { "cve": "CVE-2020-26137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-26137" }, { "cve": "CVE-2020-26541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-26541" }, { "cve": "CVE-2020-27216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-27216" }, { "cve": "CVE-2020-27218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-27218" }, { "cve": "CVE-2020-27223", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-27223" }, { "cve": "CVE-2020-28366", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-28366" }, { "cve": "CVE-2020-28493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-28493" }, { "cve": "CVE-2020-29509", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29509" }, { "cve": "CVE-2020-29511", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29511" }, { "cve": "CVE-2020-29582", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29582" }, { "cve": "CVE-2020-29651", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29651" }, { "cve": "CVE-2020-35490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-35490" }, { "cve": "CVE-2020-35491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-35491" }, { "cve": "CVE-2020-35728", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-35728" }, { "cve": "CVE-2020-36179", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36179" }, { "cve": "CVE-2020-36180", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36180" }, { "cve": "CVE-2020-36181", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36181" }, { "cve": "CVE-2020-36182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36182" }, { "cve": "CVE-2020-36183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36183" }, { "cve": "CVE-2020-36184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36184" }, { "cve": "CVE-2020-36185", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36185" }, { "cve": "CVE-2020-36186", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36186" }, { "cve": "CVE-2020-36187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36187" }, { "cve": "CVE-2020-36188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36188" }, { "cve": "CVE-2020-36189", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36189" }, { "cve": "CVE-2020-36516", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36516" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-36557", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36557" }, { "cve": "CVE-2020-36558", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36558" }, { "cve": "CVE-2020-36691", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36691" }, { "cve": "CVE-2020-7238", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-7238" }, { "cve": "CVE-2020-8840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8840" }, { "cve": "CVE-2020-8908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8908" }, { "cve": "CVE-2020-8911", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8911" }, { "cve": "CVE-2020-8912", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8912" }, { "cve": "CVE-2020-9488", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9488" }, { "cve": "CVE-2020-9493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9493" }, { "cve": "CVE-2020-9546", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9546" }, { "cve": "CVE-2020-9547", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9547" }, { "cve": "CVE-2020-9548", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9548" }, { "cve": "CVE-2021-20190", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-20190" }, { "cve": "CVE-2021-20323", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-20323" }, { "cve": "CVE-2021-21290", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-21290" }, { "cve": "CVE-2021-21295", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-21295" }, { "cve": "CVE-2021-21409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-21409" }, { "cve": "CVE-2021-23840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-23840" }, { "cve": "CVE-2021-23841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-23841" }, { "cve": "CVE-2021-2471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-2471" }, { "cve": "CVE-2021-25642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-25642" }, { "cve": "CVE-2021-26341", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-26341" }, { "cve": "CVE-2021-27918", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-27918" }, { "cve": "CVE-2021-28153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28153" }, { "cve": "CVE-2021-28165", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28165" }, { "cve": "CVE-2021-28169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28169" }, { "cve": "CVE-2021-28861", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28861" }, { "cve": "CVE-2021-29425", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-29425" }, { "cve": "CVE-2021-30560", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-30560" }, { "cve": "CVE-2021-3114", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3114" }, { "cve": "CVE-2021-33036", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33036" }, { "cve": "CVE-2021-33194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33194" }, { "cve": "CVE-2021-33195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33195" }, { "cve": "CVE-2021-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33196" }, { "cve": "CVE-2021-33197", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33197" }, { "cve": "CVE-2021-33503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33503" }, { "cve": "CVE-2021-33655", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33655" }, { "cve": "CVE-2021-33656", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33656" }, { "cve": "CVE-2021-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3424" }, { "cve": "CVE-2021-34428", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-34428" }, { "cve": "CVE-2021-3449", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3449" }, { "cve": "CVE-2021-3450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3450" }, { "cve": "CVE-2021-3530", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3530" }, { "cve": "CVE-2021-36221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36221" }, { "cve": "CVE-2021-36373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36373" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-3648", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3648" }, { "cve": "CVE-2021-36690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36690" }, { "cve": "CVE-2021-3711", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3711" }, { "cve": "CVE-2021-3712", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3712" }, { "cve": "CVE-2021-37136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37136" }, { "cve": "CVE-2021-37137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37137" }, { "cve": "CVE-2021-37404", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37404" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-3754", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3754" }, { "cve": "CVE-2021-3778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3778" }, { "cve": "CVE-2021-3796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3796" }, { "cve": "CVE-2021-3826", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3826" }, { "cve": "CVE-2021-3827", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3827" }, { "cve": "CVE-2021-38297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-38297" }, { "cve": "CVE-2021-3872", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3872" }, { "cve": "CVE-2021-3875", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3875" }, { "cve": "CVE-2021-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3903" }, { "cve": "CVE-2021-3923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3923" }, { "cve": "CVE-2021-3927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3927" }, { "cve": "CVE-2021-3928", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3928" }, { "cve": "CVE-2021-3968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3968" }, { "cve": "CVE-2021-3973", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3973" }, { "cve": "CVE-2021-3974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3974" }, { "cve": "CVE-2021-3984", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3984" }, { "cve": "CVE-2021-4019", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4019" }, { "cve": "CVE-2021-4037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4037" }, { "cve": "CVE-2021-4069", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4069" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-4136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4136" }, { "cve": "CVE-2021-4157", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4157" }, { "cve": "CVE-2021-4166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4166" }, { "cve": "CVE-2021-41771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-41771" }, { "cve": "CVE-2021-4192", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4192" }, { "cve": "CVE-2021-4193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4193" }, { "cve": "CVE-2021-4203", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4203" }, { "cve": "CVE-2021-42567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-42567" }, { "cve": "CVE-2021-43797", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-43797" }, { "cve": "CVE-2021-44531", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44531" }, { "cve": "CVE-2021-44532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44532" }, { "cve": "CVE-2021-44533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44533" }, { "cve": "CVE-2021-44716", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44716" }, { "cve": "CVE-2021-44878", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44878" }, { "cve": "CVE-2021-45078", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-45078" }, { "cve": "CVE-2021-46195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-46195" }, { "cve": "CVE-2021-46828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-46828" }, { "cve": "CVE-2021-46848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-46848" }, { "cve": "CVE-2022-0128", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0128" }, { "cve": "CVE-2022-0213", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0213" }, { "cve": "CVE-2022-0225", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0225" }, { "cve": "CVE-2022-0261", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0261" }, { "cve": "CVE-2022-0318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0318" }, { "cve": "CVE-2022-0319", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0319" }, { "cve": "CVE-2022-0351", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0351" }, { "cve": "CVE-2022-0359", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0359" }, { "cve": "CVE-2022-0361", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0361" }, { "cve": "CVE-2022-0392", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0392" }, { "cve": "CVE-2022-0407", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0407" }, { "cve": "CVE-2022-0413", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0413" }, { "cve": "CVE-2022-0561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0561" }, { "cve": "CVE-2022-0696", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0696" }, { "cve": "CVE-2022-0778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0778" }, { "cve": "CVE-2022-1184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1184" }, { "cve": "CVE-2022-1245", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1245" }, { "cve": "CVE-2022-1271", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1271" }, { "cve": "CVE-2022-1292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1292" }, { "cve": "CVE-2022-1381", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1381" }, { "cve": "CVE-2022-1420", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1420" }, { "cve": "CVE-2022-1462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1462" }, { "cve": "CVE-2022-1466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1466" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1471" }, { "cve": "CVE-2022-1586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1586" }, { "cve": "CVE-2022-1587", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1587" }, { "cve": "CVE-2022-1616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1616" }, { "cve": "CVE-2022-1619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1619" }, { "cve": "CVE-2022-1620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1620" }, { "cve": "CVE-2022-1679", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1679" }, { "cve": "CVE-2022-1705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1705" }, { "cve": "CVE-2022-1720", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1720" }, { "cve": "CVE-2022-1729", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1729" }, { "cve": "CVE-2022-1733", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1733" }, { "cve": "CVE-2022-1735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1735" }, { "cve": "CVE-2022-1771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1771" }, { "cve": "CVE-2022-1785", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1785" }, { "cve": "CVE-2022-1796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1796" }, { "cve": "CVE-2022-1851", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1851" }, { "cve": "CVE-2022-1897", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1897" }, { "cve": "CVE-2022-1898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1898" }, { "cve": "CVE-2022-1927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1927" }, { "cve": "CVE-2022-1962", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1962" }, { "cve": "CVE-2022-1968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1968" }, { "cve": "CVE-2022-1974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1974" }, { "cve": "CVE-2022-1975", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1975" }, { "cve": "CVE-2022-20132", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20132" }, { "cve": "CVE-2022-20141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20141" }, { "cve": "CVE-2022-20154", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20154" }, { "cve": "CVE-2022-20166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20166" }, { "cve": "CVE-2022-20368", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20368" }, { "cve": "CVE-2022-20369", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20369" }, { "cve": "CVE-2022-2047", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2047" }, { "cve": "CVE-2022-2048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2048" }, { "cve": "CVE-2022-20567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20567" }, { "cve": "CVE-2022-2068", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2068" }, { "cve": "CVE-2022-2097", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2097" }, { "cve": "CVE-2022-21216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21216" }, { "cve": "CVE-2022-21233", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21233" }, { "cve": "CVE-2022-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2124" }, { "cve": "CVE-2022-2125", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2125" }, { "cve": "CVE-2022-2126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2126" }, { "cve": "CVE-2022-2129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2129" }, { "cve": "CVE-2022-21363", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21363" }, { "cve": "CVE-2022-21385", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21385" }, { "cve": "CVE-2022-21499", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21499" }, { "cve": "CVE-2022-2153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2153" }, { "cve": "CVE-2022-21540", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21540" }, { "cve": "CVE-2022-21541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21541" }, { "cve": "CVE-2022-21549", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21549" }, { "cve": "CVE-2022-21618", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21618" }, { "cve": "CVE-2022-21619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21619" }, { "cve": "CVE-2022-21624", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21624" }, { "cve": "CVE-2022-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21626" }, { "cve": "CVE-2022-21628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21628" }, { "cve": "CVE-2022-21702", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21702" }, { "cve": "CVE-2022-2175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2175" }, { "cve": "CVE-2022-2182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2182" }, { "cve": "CVE-2022-2183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2183" }, { "cve": "CVE-2022-2206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2206" }, { "cve": "CVE-2022-2207", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2207" }, { "cve": "CVE-2022-2208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2208" }, { "cve": "CVE-2022-2210", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2210" }, { "cve": "CVE-2022-2231", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2231" }, { "cve": "CVE-2022-2256", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2256" }, { "cve": "CVE-2022-2257", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2257" }, { "cve": "CVE-2022-2264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2264" }, { "cve": "CVE-2022-2284", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2284" }, { "cve": "CVE-2022-2285", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2285" }, { "cve": "CVE-2022-2286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2286" }, { "cve": "CVE-2022-2287", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2287" }, { "cve": "CVE-2022-22976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-22976" }, { "cve": "CVE-2022-22978", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-22978" }, { "cve": "CVE-2022-2304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2304" }, { "cve": "CVE-2022-2318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2318" }, { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23307" }, { "cve": "CVE-2022-2343", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2343" }, { "cve": "CVE-2022-2344", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2344" }, { "cve": "CVE-2022-2345", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2345" }, { "cve": "CVE-2022-23471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23471" }, { "cve": "CVE-2022-23521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23521" }, { "cve": "CVE-2022-23772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23772" }, { "cve": "CVE-2022-23773", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23773" }, { "cve": "CVE-2022-24302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24302" }, { "cve": "CVE-2022-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24329" }, { "cve": "CVE-2022-24823", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24823" }, { "cve": "CVE-2022-24903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24903" }, { "cve": "CVE-2022-2503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2503" }, { "cve": "CVE-2022-25147", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25147" }, { "cve": "CVE-2022-25168", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25168" }, { "cve": "CVE-2022-2519", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2519" }, { "cve": "CVE-2022-2520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2520" }, { "cve": "CVE-2022-2521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2521" }, { "cve": "CVE-2022-2522", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2522" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-2571", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2571" }, { "cve": "CVE-2022-2580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2580" }, { "cve": "CVE-2022-2581", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2581" }, { "cve": "CVE-2022-25857", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25857" }, { "cve": "CVE-2022-2588", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2588" }, { "cve": "CVE-2022-2598", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2598" }, { "cve": "CVE-2022-26148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26148" }, { "cve": "CVE-2022-26365", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26365" }, { "cve": "CVE-2022-26373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26373" }, { "cve": "CVE-2022-2639", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2639" }, { "cve": "CVE-2022-26612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26612" }, { "cve": "CVE-2022-2663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2663" }, { "cve": "CVE-2022-27781", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-27781" }, { "cve": "CVE-2022-27782", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-27782" }, { "cve": "CVE-2022-27943", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-27943" }, { "cve": "CVE-2022-2795", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2795" }, { "cve": "CVE-2022-28131", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28131" }, { "cve": "CVE-2022-2816", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2816" }, { "cve": "CVE-2022-2817", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2817" }, { "cve": "CVE-2022-2819", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2819" }, { "cve": "CVE-2022-28327", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28327" }, { "cve": "CVE-2022-2845", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2845" }, { "cve": "CVE-2022-2849", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2849" }, { "cve": "CVE-2022-2862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2862" }, { "cve": "CVE-2022-2867", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2867" }, { "cve": "CVE-2022-2868", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2868" }, { "cve": "CVE-2022-2869", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2869" }, { "cve": "CVE-2022-28693", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28693" }, { "cve": "CVE-2022-2874", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2874" }, { "cve": "CVE-2022-28748", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28748" }, { "cve": "CVE-2022-2880", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2880" }, { "cve": "CVE-2022-2889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2889" }, { "cve": "CVE-2022-29162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29162" }, { "cve": "CVE-2022-29187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29187" }, { "cve": "CVE-2022-2923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2923" }, { "cve": "CVE-2022-2946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2946" }, { "cve": "CVE-2022-29526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29526" }, { "cve": "CVE-2022-29583", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29583" }, { "cve": "CVE-2022-2964", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2964" }, { "cve": "CVE-2022-2977", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2977" }, { "cve": "CVE-2022-2980", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2980" }, { "cve": "CVE-2022-2982", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2982" }, { "cve": "CVE-2022-29900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29900" }, { "cve": "CVE-2022-29901", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29901" }, { "cve": "CVE-2022-2991", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2991" }, { "cve": "CVE-2022-3016", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3016" }, { "cve": "CVE-2022-3028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3028" }, { "cve": "CVE-2022-3037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3037" }, { "cve": "CVE-2022-30580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30580" }, { "cve": "CVE-2022-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30630" }, { "cve": "CVE-2022-30631", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30631" }, { "cve": "CVE-2022-30632", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30632" }, { "cve": "CVE-2022-30633", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30633" }, { "cve": "CVE-2022-3099", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3099" }, { "cve": "CVE-2022-31030", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-31030" }, { "cve": "CVE-2022-31159", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-31159" }, { "cve": "CVE-2022-3134", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3134" }, { "cve": "CVE-2022-3153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3153" }, { "cve": "CVE-2022-3169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3169" }, { "cve": "CVE-2022-31690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-31690" }, { "cve": "CVE-2022-32148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32148" }, { "cve": "CVE-2022-32149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32149" }, { "cve": "CVE-2022-32206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32206" }, { "cve": "CVE-2022-32208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32208" }, { "cve": "CVE-2022-32221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32221" }, { "cve": "CVE-2022-3234", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3234" }, { "cve": "CVE-2022-3235", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3235" }, { "cve": "CVE-2022-3239", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3239" }, { "cve": "CVE-2022-3278", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3278" }, { "cve": "CVE-2022-3296", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3296" }, { "cve": "CVE-2022-3297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3297" }, { "cve": "CVE-2022-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33196" }, { "cve": "CVE-2022-3324", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3324" }, { "cve": "CVE-2022-3352", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3352" }, { "cve": "CVE-2022-33740", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33740" }, { "cve": "CVE-2022-33741", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33741" }, { "cve": "CVE-2022-33742", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33742" }, { "cve": "CVE-2022-33972", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33972" }, { "cve": "CVE-2022-33981", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33981" }, { "cve": "CVE-2022-34169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34169" }, { "cve": "CVE-2022-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3424" }, { "cve": "CVE-2022-34266", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34266" }, { "cve": "CVE-2022-34526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34526" }, { "cve": "CVE-2022-34903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34903" }, { "cve": "CVE-2022-3491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3491" }, { "cve": "CVE-2022-3515", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3515" }, { "cve": "CVE-2022-3520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3520" }, { "cve": "CVE-2022-3521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3521" }, { "cve": "CVE-2022-3524", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3524" }, { "cve": "CVE-2022-35252", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-35252" }, { "cve": "CVE-2022-3542", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3542" }, { "cve": "CVE-2022-3545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3545" }, { "cve": "CVE-2022-3564", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3564" }, { "cve": "CVE-2022-3565", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3565" }, { "cve": "CVE-2022-3566", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3566" }, { "cve": "CVE-2022-3567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3567" }, { "cve": "CVE-2022-35737", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-35737" }, { "cve": "CVE-2022-3586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3586" }, { "cve": "CVE-2022-3591", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3591" }, { "cve": "CVE-2022-3594", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3594" }, { "cve": "CVE-2022-3597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3597" }, { "cve": "CVE-2022-3599", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3599" }, { "cve": "CVE-2022-36109", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36109" }, { "cve": "CVE-2022-3621", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3621" }, { "cve": "CVE-2022-3626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3626" }, { "cve": "CVE-2022-3627", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3627" }, { "cve": "CVE-2022-3628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3628" }, { "cve": "CVE-2022-36280", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36280" }, { "cve": "CVE-2022-3629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3629" }, { "cve": "CVE-2022-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3635" }, { "cve": "CVE-2022-3643", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3643" }, { "cve": "CVE-2022-36437", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36437" }, { "cve": "CVE-2022-3646", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3646" }, { "cve": "CVE-2022-3649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3649" }, { "cve": "CVE-2022-36760", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36760" }, { "cve": "CVE-2022-36879", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36879" }, { "cve": "CVE-2022-36946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36946" }, { "cve": "CVE-2022-3705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3705" }, { "cve": "CVE-2022-37434", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37434" }, { "cve": "CVE-2022-37436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37436" }, { "cve": "CVE-2022-37865", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37865" }, { "cve": "CVE-2022-37866", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37866" }, { "cve": "CVE-2022-38090", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38090" }, { "cve": "CVE-2022-38096", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38096" }, { "cve": "CVE-2022-38126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38126" }, { "cve": "CVE-2022-38127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38127" }, { "cve": "CVE-2022-38177", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38177" }, { "cve": "CVE-2022-38178", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38178" }, { "cve": "CVE-2022-3821", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3821" }, { "cve": "CVE-2022-38533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38533" }, { "cve": "CVE-2022-38749", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38749" }, { "cve": "CVE-2022-38750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38750" }, { "cve": "CVE-2022-38751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38751" }, { "cve": "CVE-2022-38752", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38752" }, { "cve": "CVE-2022-39028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-39028" }, { "cve": "CVE-2022-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3903" }, { "cve": "CVE-2022-39188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-39188" }, { "cve": "CVE-2022-39399", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-39399" }, { "cve": "CVE-2022-3970", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3970" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-40150", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40150" }, { "cve": "CVE-2022-40151", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40151" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-40153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40153" }, { "cve": "CVE-2022-40303", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40303" }, { "cve": "CVE-2022-40304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40304" }, { "cve": "CVE-2022-40307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40307" }, { "cve": "CVE-2022-40674", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40674" }, { "cve": "CVE-2022-40768", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40768" }, { "cve": "CVE-2022-40899", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40899" }, { "cve": "CVE-2022-4095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4095" }, { "cve": "CVE-2022-41218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41218" }, { "cve": "CVE-2022-4129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4129" }, { "cve": "CVE-2022-4141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4141" }, { "cve": "CVE-2022-41717", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41717" }, { "cve": "CVE-2022-41721", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41721" }, { "cve": "CVE-2022-41848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41848" }, { "cve": "CVE-2022-41850", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41850" }, { "cve": "CVE-2022-41854", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41854" }, { "cve": "CVE-2022-41858", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41858" }, { "cve": "CVE-2022-41881", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41881" }, { "cve": "CVE-2022-41903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41903" }, { "cve": "CVE-2022-41915", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41915" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41974" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-42004", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42004" }, { "cve": "CVE-2022-42010", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42010" }, { "cve": "CVE-2022-42011", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42011" }, { "cve": "CVE-2022-42012", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42012" }, { "cve": "CVE-2022-42328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42328" }, { "cve": "CVE-2022-42329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42329" }, { "cve": "CVE-2022-42703", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42703" }, { "cve": "CVE-2022-42889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42889" }, { "cve": "CVE-2022-42895", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42895" }, { "cve": "CVE-2022-42896", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42896" }, { "cve": "CVE-2022-42898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42898" }, { "cve": "CVE-2022-4292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4292" }, { "cve": "CVE-2022-4293", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4293" }, { "cve": "CVE-2022-42969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42969" }, { "cve": "CVE-2022-4304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4304" }, { "cve": "CVE-2022-43552", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43552" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-43750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43750" }, { "cve": "CVE-2022-4378", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4378" }, { "cve": "CVE-2022-43945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43945" }, { "cve": "CVE-2022-43995", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43995" }, { "cve": "CVE-2022-4415", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4415" }, { "cve": "CVE-2022-4450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4450" }, { "cve": "CVE-2022-44638", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-44638" }, { "cve": "CVE-2022-45061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45061" }, { "cve": "CVE-2022-45688", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45688" }, { "cve": "CVE-2022-45884", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45884" }, { "cve": "CVE-2022-45885", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45885" }, { "cve": "CVE-2022-45886", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45886" }, { "cve": "CVE-2022-45887", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45887" }, { "cve": "CVE-2022-45919", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45919" }, { "cve": "CVE-2022-45934", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45934" }, { "cve": "CVE-2022-45939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45939" }, { "cve": "CVE-2022-4662", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4662" }, { "cve": "CVE-2022-46751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-46751" }, { "cve": "CVE-2022-46908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-46908" }, { "cve": "CVE-2022-47629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-47629" }, { "cve": "CVE-2022-47929", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-47929" }, { "cve": "CVE-2022-48281", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-48281" }, { "cve": "CVE-2022-48337", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-48337" }, { "cve": "CVE-2022-48339", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-48339" }, { "cve": "CVE-2023-0045", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0045" }, { "cve": "CVE-2023-0049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0049" }, { "cve": "CVE-2023-0051", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0051" }, { "cve": "CVE-2023-0054", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0054" }, { "cve": "CVE-2023-0215", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0215" }, { "cve": "CVE-2023-0286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0286" }, { "cve": "CVE-2023-0288", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0288" }, { "cve": "CVE-2023-0433", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0433" }, { "cve": "CVE-2023-0464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0464" }, { "cve": "CVE-2023-0465", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0465" }, { "cve": "CVE-2023-0466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0466" }, { "cve": "CVE-2023-0512", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0512" }, { "cve": "CVE-2023-0590", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0590" }, { "cve": "CVE-2023-0597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0597" }, { "cve": "CVE-2023-0833", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0833" }, { "cve": "CVE-2023-1076", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1076" }, { "cve": "CVE-2023-1095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1095" }, { "cve": "CVE-2023-1118", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1118" }, { "cve": "CVE-2023-1127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1127" }, { "cve": "CVE-2023-1170", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1170" }, { "cve": "CVE-2023-1175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1175" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1370" }, { "cve": "CVE-2023-1380", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1380" }, { "cve": "CVE-2023-1390", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1390" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1513" }, { "cve": "CVE-2023-1611", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1611" }, { "cve": "CVE-2023-1670", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1670" }, { "cve": "CVE-2023-1855", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1855" }, { "cve": "CVE-2023-1989", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1989" }, { "cve": "CVE-2023-1990", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1990" }, { "cve": "CVE-2023-1998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1998" }, { "cve": "CVE-2023-20862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-20862" }, { "cve": "CVE-2023-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2124" }, { "cve": "CVE-2023-2162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2162" }, { "cve": "CVE-2023-2176", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2176" }, { "cve": "CVE-2023-21830", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21830" }, { "cve": "CVE-2023-21835", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21835" }, { "cve": "CVE-2023-21843", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21843" }, { "cve": "CVE-2023-21930", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21930" }, { "cve": "CVE-2023-21937", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21937" }, { "cve": "CVE-2023-21938", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21938" }, { "cve": "CVE-2023-21939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21939" }, { "cve": "CVE-2023-2194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2194" }, { "cve": "CVE-2023-21954", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21954" }, { "cve": "CVE-2023-21967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21967" }, { "cve": "CVE-2023-21968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21968" }, { "cve": "CVE-2023-22490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-22490" }, { "cve": "CVE-2023-2253", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2253" }, { "cve": "CVE-2023-22809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-22809" }, { "cve": "CVE-2023-23454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23454" }, { "cve": "CVE-2023-23455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23455" }, { "cve": "CVE-2023-23559", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23559" }, { "cve": "CVE-2023-23916", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23916" }, { "cve": "CVE-2023-23946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23946" }, { "cve": "CVE-2023-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24329" }, { "cve": "CVE-2023-24532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24532" }, { "cve": "CVE-2023-24534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24534" }, { "cve": "CVE-2023-2483", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2483" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-2513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2513" }, { "cve": "CVE-2023-25193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25193" }, { "cve": "CVE-2023-25652", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25652" }, { "cve": "CVE-2023-25690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25690" }, { "cve": "CVE-2023-25809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25809" }, { "cve": "CVE-2023-25815", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25815" }, { "cve": "CVE-2023-26048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26048" }, { "cve": "CVE-2023-26049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26049" }, { "cve": "CVE-2023-2650", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2650" }, { "cve": "CVE-2023-26545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26545" }, { "cve": "CVE-2023-26604", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26604" }, { "cve": "CVE-2023-27533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27533" }, { "cve": "CVE-2023-27534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27534" }, { "cve": "CVE-2023-27535", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27535" }, { "cve": "CVE-2023-27536", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27536" }, { "cve": "CVE-2023-27538", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27538" }, { "cve": "CVE-2023-27561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27561" }, { "cve": "CVE-2023-2828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2828" }, { "cve": "CVE-2023-28320", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28320" }, { "cve": "CVE-2023-28321", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28321" }, { "cve": "CVE-2023-28322", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28322" }, { "cve": "CVE-2023-28328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28328" }, { "cve": "CVE-2023-28464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28464" }, { "cve": "CVE-2023-28486", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28486" }, { "cve": "CVE-2023-28487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28487" }, { "cve": "CVE-2023-28642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28642" }, { "cve": "CVE-2023-28772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28772" }, { "cve": "CVE-2023-28840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28840" }, { "cve": "CVE-2023-28841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28841" }, { "cve": "CVE-2023-28842", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28842" }, { "cve": "CVE-2023-29007", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29007" }, { "cve": "CVE-2023-29383", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29383" }, { "cve": "CVE-2023-29402", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29402" }, { "cve": "CVE-2023-29406", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29406" }, { "cve": "CVE-2023-29409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29409" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-30630" }, { "cve": "CVE-2023-30772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-30772" }, { "cve": "CVE-2023-31084", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-31084" }, { "cve": "CVE-2023-3138", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-3138" }, { "cve": "CVE-2023-31436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-31436" }, { "cve": "CVE-2023-31484", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-31484" }, { "cve": "CVE-2023-32269", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-32269" }, { "cve": "CVE-2023-32697", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-32697" }, { "cve": "CVE-2023-33264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-33264" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-34035", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34035" }, { "cve": "CVE-2023-34453", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34453" }, { "cve": "CVE-2023-34454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34454" }, { "cve": "CVE-2023-34455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34455" }, { "cve": "CVE-2023-34462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34462" }, { "cve": "CVE-2023-35116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-35116" }, { "cve": "CVE-2023-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-3635" }, { "cve": "CVE-2023-36479", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-36479" }, { "cve": "CVE-2023-39533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-39533" }, { "cve": "CVE-2023-40167", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-40167" }, { "cve": "CVE-2023-40217", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-40217" }, { "cve": "CVE-2023-41105", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-41105" }, { "cve": "CVE-2023-41900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-41900" }, { "cve": "CVE-2023-43642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-43642" }, { "cve": "CVE-2023-43804", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-43804" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45803", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-45803" }, { "cve": "CVE-2024-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2024-21626" } ] }
gsd-2022-23307
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2022-23307", "description": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.", "id": "GSD-2022-23307", "references": [ "https://www.suse.com/security/cve/CVE-2022-23307.html", "https://access.redhat.com/errata/RHSA-2022:0661", "https://access.redhat.com/errata/RHSA-2022:0553", "https://access.redhat.com/errata/RHSA-2022:0527", "https://access.redhat.com/errata/RHSA-2022:0524", "https://access.redhat.com/errata/RHSA-2022:0507", "https://access.redhat.com/errata/RHSA-2022:0497", "https://access.redhat.com/errata/RHSA-2022:0475", "https://access.redhat.com/errata/RHSA-2022:0469", "https://access.redhat.com/errata/RHSA-2022:0467", "https://access.redhat.com/errata/RHSA-2022:0450", "https://access.redhat.com/errata/RHSA-2022:0449", "https://access.redhat.com/errata/RHSA-2022:0448", "https://access.redhat.com/errata/RHSA-2022:0447", "https://access.redhat.com/errata/RHSA-2022:0446", "https://access.redhat.com/errata/RHSA-2022:0445", "https://access.redhat.com/errata/RHSA-2022:0444", "https://access.redhat.com/errata/RHSA-2022:0442", "https://access.redhat.com/errata/RHSA-2022:0439", "https://access.redhat.com/errata/RHSA-2022:0438", "https://access.redhat.com/errata/RHSA-2022:0437", "https://access.redhat.com/errata/RHSA-2022:0436", "https://access.redhat.com/errata/RHSA-2022:0435", "https://access.redhat.com/errata/RHSA-2022:0430", "https://access.redhat.com/errata/RHSA-2022:0294", "https://access.redhat.com/errata/RHSA-2022:0291", "https://access.redhat.com/errata/RHSA-2022:0290", "https://access.redhat.com/errata/RHSA-2022:0289", "https://access.redhat.com/errata/RHSA-2022:1296", "https://access.redhat.com/errata/RHSA-2022:1297", "https://access.redhat.com/errata/RHSA-2022:1299", "https://linux.oracle.com/cve/CVE-2022-23307.html", "https://access.redhat.com/errata/RHSA-2022:5458", "https://access.redhat.com/errata/RHSA-2022:5459", "https://access.redhat.com/errata/RHSA-2022:5460" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2022-23307" ], "details": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.", "id": "GSD-2022-23307", "modified": "2023-12-13T01:19:35.693540Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2022-23307", "STATE": "PUBLIC", "TITLE": " A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution." }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Log4j 1.x", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "1.2.1" }, { "version_affected": "\u003c=", "version_value": "2.0-alpha1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "@kingkk" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "Critical" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data" } ] } ] }, "references": { "reference_data": [ { "name": "https://logging.apache.org/log4j/1.2/index.html", "refsource": "MISC", "url": "https://logging.apache.org/log4j/1.2/index.html" }, { "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "refsource": "MISC", "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "discovery": "UNKNOWN" }, "work_around": [ { "lang": "eng", "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0." } ] }, "gitlab.com": { "advisories": [ { "affected_range": "[1.2,2.0)", "affected_versions": "All versions starting from 1.2 before 2.0", "cvss_v2": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2023-02-24", "description": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j where the same issue exists.", "fixed_versions": [], "identifier": "CVE-2022-23307", "identifiers": [ "CVE-2022-23307" ], "not_impacted": "", "package_slug": "maven/log4j/log4j", "pubdate": "2022-01-18", "solution": "Unfortunately, there is no solution available yet.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "https://logging.apache.org/log4j/1.2/index.html" ], "uuid": "fbe7be38-2e84-44a9-a8ba-10ca11e03b03" }, { "affected_range": "[1.2,2.0)", "affected_versions": "All versions starting from 1.2 before 2.0", "cvss_v2": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2023-02-24", "description": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j where the same issue exists.", "fixed_versions": [ "2.0" ], "identifier": "CVE-2022-23307", "identifiers": [ "CVE-2022-23307" ], "not_impacted": "All versions before 1.2, all versions starting from 2.0", "package_slug": "maven/org.apache.logging.log4j/log4j", "pubdate": "2022-01-18", "solution": "Upgrade to version 2.0 or above.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "https://logging.apache.org/log4j/1.2/index.html" ], "uuid": "9e42eb94-1dd2-4d0e-9220-df2c4ebd7d3e" }, { "affected_range": "(,0)", "affected_versions": "All versions before 0", "cvss_v2": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2023-02-24", "description": "This advisory has been marked as False Positive and removed.", "fixed_versions": [], "identifier": "CVE-2022-23307", "identifiers": [ "CVE-2022-23307" ], "not_impacted": "", "package_slug": "maven/org.webjars.npm/chainsaw", "pubdate": "2022-01-18", "solution": "Unfortunately, there is no solution available yet.", "title": "False Positive", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "https://logging.apache.org/log4j/1.2/index.html", "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "uuid": "99aabfb6-790f-44d3-a770-ece4f97db72d" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.1.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.0", "versionStartIncluding": "1.2", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "1.2.18.1", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "8.0.29", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.2.1.1.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "12.0.0.4.4", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2022-23307" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-502" } ] } ] }, "references": { "reference_data": [ { "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", "refsource": "MISC", "tags": [ "Mailing List", "Vendor Advisory" ], "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { "name": "https://logging.apache.org/log4j/1.2/index.html", "refsource": "MISC", "tags": [ "Vendor Advisory" ], "url": "https://logging.apache.org/log4j/1.2/index.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "N/A", "refsource": "N/A", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9 } }, "lastModifiedDate": "2023-02-24T15:29Z", "publishedDate": "2022-01-18T16:15Z" } } }
ghsa-f7vh-qwp3-x37m
Vulnerability from github
Published
2022-01-19 00:01
Modified
2022-11-25 17:19
Severity ?
Summary
Deserialization of Untrusted Data in Apache Log4j
Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Users are advised to migrate from log4j:log4j
to org.apache.logging.log4j:log4j
for an updated version of the library.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "log4j:log4j" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "1.2.17" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "2.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-23307" ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-06-20T22:48:35Z", "nvd_published_at": "2022-01-18T16:15:00Z", "severity": "CRITICAL" }, "details": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.\n\nUsers are advised to migrate from `log4j:log4j` to `org.apache.logging.log4j:log4j` for an updated version of the library.", "id": "GHSA-f7vh-qwp3-x37m", "modified": "2022-11-25T17:19:49Z", "published": "2022-01-19T00:01:15Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "type": "WEB", "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" }, { "type": "WEB", "url": "https://logging.apache.org/log4j/1.2/index.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Deserialization of Untrusted Data in Apache Log4j" }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.